An bayyana sabon rukuni na fakitin NPM masu mugun nufi da aka kirkira don kai hari kan kamfanonin Jamus Bertelsmann, Bosch, Stihl da DB Schenker. Harin yana amfani da hanyar hada-hadar dogaro, wanda ke sarrafa mahadar sunayen dogarawa a cikin wuraren ajiyar jama'a da na ciki. A cikin aikace-aikacen da ake da su na bainar jama'a, maharan suna samun hanyar samun fakitin NPM na ciki waɗanda aka zazzage daga ma'ajiyar kamfanoni, sannan su sanya fakiti masu suna iri ɗaya da sabbin lambobi a cikin ma'ajin NPM na jama'a. Idan lokacin taro ba a haɗa ɗakunan karatu na ciki a sarari da ma'ajiyar su a cikin saitunan ba, mai sarrafa kunshin npm yana ɗaukar ma'ajiyar jama'a a matsayin fifiko mafi girma kuma yana zazzage fakitin da maharin ya shirya.
Ba kamar yunƙurin da aka rubuta a baya ba na ɓarna fakitin ciki, galibi masu bincike na tsaro ne ke yin su don samun lada don gano lahani a samfuran manyan kamfanoni, fakitin da aka gano ba su ƙunshi sanarwa game da gwaji ba kuma sun haɗa da ɓoyayyiyar lambar mugun aiki wacce ke zazzagewa da gudanar da bayan gida don kula da nesa na wanda abin ya shafa.
Ba a ba da rahoton jerin fakitin gabaɗaya da ke cikin harin ba; a matsayin misali, kawai fakitin gxm-reference-web-auth-server, ldtzstxwzpntxqn da lznfjbhurpjsqmr, waɗanda aka buga a ƙarƙashin asusun boschnodemodules a cikin ma'ajiyar NPM tare da sabon salo. lambobi 0.5.70 da 4.0.49. 4 fiye da ainihin fakiti na ciki. Har yanzu dai ba a bayyana yadda maharan suka yi nasarar gano sunaye da nau'ikan dakunan karatu na cikin gida da ba a ambata a wuraren da aka bude ba. An yi imanin cewa an samu bayanan ne sakamakon ledar bayanan cikin gida. Masu binciken da ke sa ido kan buga sabbin fakitin sun ba da rahoto ga gwamnatin NPM cewa an gano fakitin ƙeta sa'o'i XNUMX bayan buga su.
Sabuntawa: Code White ta bayyana cewa ma'aikacin nata ne ya kai harin a matsayin wani bangare na hadaka na wani harin kan ababen more rayuwa na abokin ciniki. A yayin gwajin, an kwatanta ayyukan maharan na gaske don gwada tasirin matakan tsaro da aka aiwatar.
source: budenet.ru