Nostr notes by Feross

🚨 Bitwarden CLI compromised in active supply chain attack. ...

2026-04-23T14:25:59Z

🚨 Bitwarden CLI compromised in active supply chain attack.

@bitwarden/cli version 2026.4.0 contains malicious code in bw1.js, published after attackers compromised a GitHub Action in Bitwarden's CI/CD pipeline.

This is part of the broader Checkmarx supply chain campaign that has been hitting multiple repositories through the same GitHub Actions vector. Bitwarden is the latest confirmed target.

Socket's research team discovered the compromise. We're conducting a full technical analysis now and will publish IOCs, affected version details, and remediation guidance.

If you use Bitwarden CLI:

• Review your CI logs for unexpected behavior in recent builds
• Rotate any secrets that may have been exposed to the compromised workflow
• Pin to a known-good version until this is resolved

Developing story...

See how the attack worked →

https://socket.dev/blog/bitwarden-cli-compromised

Today, Socket's Threat Research Team disclosed a large-scale ...

2025-10-09T20:07:24Z

Today, Socket's Threat Research Team disclosed a large-scale phishing infrastructure that abused npm + unpkg as free CDN hosting.

What we found:
• 175 malicious npm packages (randomized names, pattern redirect-xxxxxx) with 26k+ downloads.
• 630+ HTML lure files, tailored to victims (purchase orders, specs, project docs).
• 7 phishing domains and tooling that automated package creation + publishing per target.
• 135+ targeted organizations across industrial, tech, and energy sectors (heavy focus in Western Europe).

We’ve named the operation Beamglea — the packages’ payloads are tiny redirect scripts (beamglea.js) that append a victim email and send the user to credential-harvesting pages.

Why this is dangerous:
• This isn’t a typical npm supply chain attack — it’s infrastructure abuse. The attackers are using npm’s public registry and unpkg’s automatic HTTPS hosting as an inexpensive, trusted CDN for phishing. That makes detection harder and gives their phishing pages plausible legitimacy (pre-filled emails, polished lures).

Practical recommendations (do these immediately):
• Force password resets for accounts in the IOC list — prioritize Office 365 accounts.
• Require MFA across all email and cloud accounts.
• Quarantine or strip HTML attachments at the gateway (legitimate business rarely needs raw HTML attachments).
• Monitor network traffic for unpkg.com/*/beamglea.js patterns and the seven known C2 domains.
• Audit recent email attachments (Sept–Oct 2025) for PO/contract-themed HTML files.
• Review wire/financial activity for signs of BEC following credential theft.

Indicators we published:
• Full list of package names (pattern: redirect-<6 chars>), the seven domains, and a set of author aliases we observed. Treat any detection of these IOCs as high-severity.

Why this matters long-term:
• This campaign shows a new, repeatable playbook: weaponize public package registries + CDNs as disposable phishing infrastructure. Expect iteration — alternate CDNs, obfuscated JS, geofencing, and DGA-like domain rotations. Defenders should treat public registry assets and CDN-served scripts as part of the threat surface, not just developer tools.

If you run an org with public-facing email accounts, developer teams, or supply-chain processes, Socket’s research includes the full IOCs and recommended detection rules — reach out if you need help operationalizing these mitigations.

https://socket.dev/blog/175-malicious-npm-packages-host-phishing-infrastructure

🚨 New twist in the npm malware wars: Socket just uncovered a ...

2025-09-22T21:01:19Z

🚨 New twist in the npm malware wars:

Socket just uncovered a malicious package, fezbox, that hides its payload inside a QR code image.

Yes, you read that right. JavaScript malware using QR code steganography to steal browser cookies & passwords.

⬇️ Technical detail below

https://socket.dev/blog/malicious-fezbox-npm-package-steals-browser-passwords-from-cookies-via-innovative-qr-code?utm_medium=feed

UPDATE: This is not over. 👇 Another wave of these npm supply ...

2025-09-16T14:06:31Z

In reply to nevent1q…f5ws
_________________________

UPDATE: This is not over. 👇

Another wave of these npm supply chain attacks just hit this morning, less than 24 hours later. This time targeting Crowdstrike packages (!!)

https://infosec.exchange/@feross/115214357322919334

🚨 Breaking: Another major supply chain attack on npm. The ...

2025-09-16T03:12:29Z

🚨 Breaking: Another major supply chain attack on npm.

The popular Control (npub1xgx…xa3d)/tinycolor package was compromised in a sophisticated campaign that spread to 40+ packages across multiple maintainers.

The malware:
• Hijacks the publish process
• Injects a malicious script (bundle.js)
• Runs automatically on install
• Scans for tokens (npm, GitHub, AWS, GCP)
• Even drops a GitHub Actions workflow to persist and exfiltrate secrets

This is one of the more advanced attacks we’ve seen recently — targeting not just developers’ machines, but CI/CD pipelines and cloud infra.

Socket’s automated malware detection flagged the threat, and our research team is now analyzing the payload in depth. We’ll be publishing a full technical report soon.

For now:
👉 Uninstall or pin to safe versions
👉 Rotate exposed tokens
👉 Audit your environments for suspicious publishes

https://socket.dev/blog/tinycolor-supply-chain-attack-affects-40-packages