Supply Chain Attacks

The Rise of Slopsquatting: How AI Hallucinations Are Fueling a New Class of Supply Chain Attacks

Slopsquatting is a new supply chain threat where AI-assisted code generators recommend hallucinated packages that attackers register and weaponize.
Slopsquatting refers to the practice of registering a non-existent package name hallucinated by an LLM, in hopes that someone, guided by an AI assistant, will copy-paste and install it without realizing it’s fake.

AI-assisted package confusion!

Silk Typhoon targeting IT supply chain

Fairly high-level, but quite specfic, description of how a Chinese threat actor uses zero-days to target companies that are providing services to IT companies, and then stealing API keys and gaining lateral movement and privilege escalation.

Malvertising campaign leads to info stealers hosted on GitHub

Different subject, but this time a more detailed post from the Microsoft security blog describing a multi-stage attack that starts with advertising on illegal streaming sites and goes through various stages of discovery, exfiltration, and persistence.

Creating a software bill of materials (SBOM) for an application or a NuGet package

On a similar subject, a review of a few tools that can be used to create a SBOM. Knowing what third-party packages your software depends on seems like a good starting point for any kind of detection of vulnerable or malicious packages.