Hackers compromise dozens of popular open source packages in supply-chain attack

Cybersecurity firms StepSecurity and SafeDep warned of the latest wave of supply chain attacks. The attacks aim to compromise developers of popular open source projects and plant malicious updates that reach users downstream. According to SafeDep, hackers took over the account of one developer. They released over 630 malicious versions across 317 packages in about 20 minutes. The goal is to steal credentials for various services, including password managers, to steal data and spread the malware. Among the compromised packages is Antv, a library made This wave is part of a wider campaign targeting open source projects and developers. Researchers have dubbed the hacks Mini Shai-Hulud, following a previous campaign. Last week, hackers compromised the computers of two OpenAI employees after hacking the TanStack library. OpenAI was one of several victims.