Hackers Target Multiple Popular Open Source Packages in Ongoing Supply Chain Attack

A wave of cyberattacks has hit several popular open source projects, affecting software developers around the world.

On Tuesday, cybersecurity companies StepSecurity and SafeDep raised alarms about a recent spike in “supply chain” attacks that aim to penetrate the developers of notable open source projects, injecting malicious updates that ultimately reach users.

SafeDep reported that hackers accessed a developer’s account and unleashed over 630 harmful versions across 317 packages in roughly 20 minutes. This assault seeks to capture credentials for various services, including password management tools, to steal data and further spread the malware.

One of the affected packages is Antv, a library created by Alibaba. According to JFrog Security, some of the malicious updates were allegedly published on GitHub.

This latest series of attacks is part of a larger effort targeting open source projects and the developers who rely on this code in their projects. Researchers have dubbed these incidents “Mini Shai-Hulud,” as they follow an earlier, more extensive hacking campaign.

Last week, during another segment of the Mini Shai-Hulud attacks, hackers compromised the computers of two OpenAI employees after infiltrating the open source library TanStack, with OpenAI being among several victims.