No Result
View All Result
SUBMIT YOUR ARTICLES
  • Login
Sunday, October 5, 2025
TheAdviserMagazine.com
  • Home
  • Financial Planning
    • Financial Planning
    • Personal Finance
  • Market Research
    • Business
    • Investing
    • Money
    • Economy
    • Markets
    • Stocks
    • Trading
  • 401k Plans
  • College
  • IRS & Taxes
  • Estate Plans
  • Social Security
  • Medicare
  • Legal
  • Home
  • Financial Planning
    • Financial Planning
    • Personal Finance
  • Market Research
    • Business
    • Investing
    • Money
    • Economy
    • Markets
    • Stocks
    • Trading
  • 401k Plans
  • College
  • IRS & Taxes
  • Estate Plans
  • Social Security
  • Medicare
  • Legal
No Result
View All Result
TheAdviserMagazine.com
No Result
View All Result
Home Market Research Market Analysis

School Is In Session, And Attackers Are Grading Your Software Supply Chain Security

by TheAdviserMagazine
3 weeks ago
in Market Analysis
Reading Time: 6 mins read
A A
School Is In Session, And Attackers Are Grading Your Software Supply Chain Security
Share on FacebookShare on TwitterShare on LInkedIn


Software supply chain attacks continue to be a top external attack vector for attackers to breach enterprises, government agencies, and even personal cryptocurrency wallets. Three recently revealed attacks are a reminder of how attackers probe for any weakness in a supply chain, including smaller entities, to target larger enterprises. Learn from these attacks to strengthen your supply chains or expose yourself to the same.

Salesloft-Salesforce

The Salesloft-Salesforce breach is the most sophisticated and has had the biggest impact. In this attack, threat actors compromised Salesloft’s Drift customers and Salesforce customer accounts. Over 700 companies have been affected.

The software supply chain weakness. The breach originated with attackers accessing the Salesloft GitHub account and code repositories. Attackers then accessed the Drift AWS environment. From AWS, attackers obtained authorization tokens for Drift customers’ technology integrations, including Salesforce, which were in turn used to exfiltrate data from Salesforce customer environments. Separately, attackers utilized other Drift integrations to compromise other enterprises. Forrester’s more comprehensive breakdown is here.
What the attackers did. The attackers accessed sensitive data from numerous accounts, including well-respected cybersecurity vendors such as CyberArk, Proofpoint, Tenable, and Zscaler. The exposed customer-sensitive data included IP addresses, account information, access tokens, customer contact data, and business records such as sales pipeline. The attackers exploited cleartext storage of sensitive information within Salesforce support case notes, which were intended to facilitate customer support but provided critical data for hackers.
The impact. The attack showed that attackers can pivot from one application (Drift) into other integrations such as Salesforce, accessing customer environments and making this a third- and fourth-tier supply chain attack.

Chalk And Debug

“chalk and debug” was named after two of the 18 open-source Node Package Manager (NPM) packages that were compromised on September 8.

The supply chain weakness. The attackers started with a targeted phishing campaign to open-source maintainers of popular NPM packages to steal credentials. The attackers used the stolen credentials to lock out developers from their NPM accounts and publish new versions of the popular packages with malicious code embedded. Josh Junon (NPM account name “qix”), one of the compromised maintainers, posted to social messaging sites that he had been hacked and had reached out to NPM maintainers to assist in rectifying the issue. The malware itself was a browser-based interceptor that captures and alters network traffic and browser app functions by injecting itself into key processes, such as data-fetching functions and wallet interfaces, to manipulate requests and responses. The attackers did a good job of disguising the payment details, redirecting to an attacker-controlled destination. To the user, it appears that the crypto transaction was completed successfully until the user realizes that the crypto did not reach the intended location.
What the attackers did. The attackers went through the trouble to obfuscate the malicious code. In addition, the social engineering aspect of the incident was convincing. The email from “[email protected]” asked the developer to reset their two-factor authentication (2FA) credentials. The link in the email redirected to what appeared to be a legit NPM website. Unknowingly, the developer provided their legitimate credentials to the attacker-owned site and would not realize the compromise until they tried to login back into their NPM account. The researchers at JFrog, a security company, noticed that other maintainers had also been victim to the same phishing campaign and that additional NPM packages were compromised and began notifying maintainers.

The impact. Overall, 2.5 million compromised package versions have been downloaded. Researchers at Arkham, a blockchain analytics platform, were able to trace the crypto transactions in the attackers’ wallet, which, as of this past Thursday morning, was only at $1,048.36. The window between the NPM account compromise, the maintainer realizing that they were impacted, and the online reporting by cybersecurity research teams was short, which helped to mitigate the overall attack. In addition, the attackers compromised multiple packages and maintainers, which was unlikely to go unnoticed. Also, thankfully, the malware required that a crypto transaction be initiated in the user’s browser versus just collecting more information that could have been used to move laterally within an organization for a bigger payday.

GhostAction Campaign

In the “GhostAction” campaign, over 3,325 secrets were stolen across 817 GitHub repositories, affecting 327 users.

The software supply chain weakness. Attackers were able to push what appeared to be an innocuous commit titled “Add GitHub Actions Security workflow” to GitHub repositories both public and private. When the GitHub action was triggered, secrets were exfiltrated and sent to an attacker-controlled domain.
What the attackers did. Attackers did their homework. They reviewed repositories to see what secrets were in use and only exfiltrated the most impactful ones to stay under the radar. How attackers were able to access GitHub user accounts was not disclosed. Possibly, users fell prey to a social engineering campaign, as was the case in the chalk and debug campaign, or perhaps user credentials or tokens were stolen or leaked online. Another possible scenario is that the GitHub user account may not have been using 2FA and was reusing a password or subject to credential stuffing. This is unlikely, however, as GiHub enforces 2FA on GitHub.com for most contributing users.
The impact. A potpourri of secrets was exfiltrated, including Docker Hub credentials, GitHub personal access tokens, AWS access keys, NPM tokens, and database credentials. According to GitGurdian, which initially reported the attack, secrets were being actively exploited. The good news is that no open-source packages appeared to be compromised, but several NPM and PyPI projects were deemed at risk.

Take Action Now To Secure Your Software Supply Chain

These attacks prove that all software utilized by your organization, even software as a service, is a security risk. Maintainers of popular open-source packages, compromised GitHub user accounts, and malicious code in open-source packages are just the latest examples of software supply chain weaknesses. Don’t wait for the next attack. Instead:

Get visibility into your software supply chain. Before you can secure the software supply chain, you first need to have an understanding of what components make up the supply chain. IT asset management and software asset management systems are good places to start understanding your software landscape. This includes all software used in the development process, including tools and plugins such as IDEs, source code management systems, build tools, and CI/CD pipelines. For any software you purchase, demand proof of security best practices, including a software bill of materials (SBOM). Monitor SBOMs to track dependency relationships, license changes, end-of-life libraries, and newly disclosed vulnerabilities.
Select secure third-party dependencies. Only allow approved secure and healthy open-source and third-party components to be used or downloaded by utilizing a software composition analysis (SCA). Automate SCA to run on pull requests, builds, artifact repositories, and in the CI pipeline, and scan both source code and artifacts. In addition, set policies to stay current on libraries but also allow for “simmer” time. For example, wait two weeks from when the latest package is published before upgrading to that version. Utilize a dependency firewall to block or quarantine suspicious packages.
Protect software development pipelines. Apply Zero Trust principles to pipelines with phishing-resistant multifactor authentication, scans for misconfigurations, branch protection that enforces code reviews, encryption for sensitive data, and scans for secrets, and regularly audit repository access permissions. Utilize a secrets manager that provides just-in-time credentials, granular access policies to narrowly scope credentials, and alerts on suspicious activity.
Create an enterprise open source software strategy. Open source software (OSS) is a great accelerator for innovation and can even help with developer hiring and retention, but there are security, operational, and legal considerations. Therefore, ensure that your organization has an OSS strategy. This must include engaging your legal team to identify the OSS licenses that meet your business risk appetite. Create a plan for your development teams to contribute back to the open-source projects, such as running security testing and remediating vulnerabilities. This increases the security posture of the open-source project and gives an early warning to any issues.

Software supply chain breaches can have significant consequences, including the loss of customer trust, harm to brand reputation, legal action, decreased revenue, and increased insurance costs. But these risks are avoidable. Take proactive steps by clearly defining and acting on your responsibilities, insisting on transparency, and integrating security measures throughout every phase of the lifecycle.

Want to dive deeper into securing your software supply chain? Read The Future Of Software Supply Chain Security and schedule a guidance session or inquiry with me.



Source link

Tags: attackersChainGradingSchoolSecuritysessionSoftwareSupply
ShareTweetShare
Previous Post

Agrichemicals firm Corteva explores splitting seed and pesticide units, WSJ reports

Next Post

Market Talk – September 12, 2025

Related Posts

edit post
You Still Need A Design System — Now More Than Ever

You Still Need A Design System — Now More Than Ever

by TheAdviserMagazine
October 3, 2025
0

Design is in the news a lot these days. The US government recently created an initiative mandating better design for...

edit post
In The Age Of AI, Reinvention Is The Future Of Customer Success

In The Age Of AI, Reinvention Is The Future Of Customer Success

by TheAdviserMagazine
October 3, 2025
0

Picture it: New York City, September 2025, NY Customer Success Week.  A room full of over 700 CS practitioners gathered...

edit post
What Q2 2025 Technology Services Earnings Mean For Technology Executives

What Q2 2025 Technology Services Earnings Mean For Technology Executives

by TheAdviserMagazine
October 3, 2025
0

2025 has been a volatile year for technology service providers, with Q2 earnings revealing a landscape marked by mixed results...

edit post
Global Cybersecurity Spending To Exceed 0B By 2029

Global Cybersecurity Spending To Exceed $300B By 2029

by TheAdviserMagazine
October 3, 2025
0

Despite the ongoing macroeconomic uncertainty in 2025 fueled in part by sudden changes in US trade policy and tariffs, demand...

edit post
Why Accurate Surgical Procedure Data Is a Strategic Advantage Today?

Why Accurate Surgical Procedure Data Is a Strategic Advantage Today?

by TheAdviserMagazine
October 3, 2025
0

The global healthcare ecosystem is evolving rapidly, with surgical volumes serving as a crucial indicator of infrastructure readiness, patient demand,...

edit post
Bitcoin Rally Gains Steam as Key Resistance Zone Near 5,500 Comes Into View

Bitcoin Rally Gains Steam as Key Resistance Zone Near $125,500 Comes Into View

by TheAdviserMagazine
October 3, 2025
0

Bitcoin broke above $120,000 this week, gaining 7% and ending its bearish trading phase. Heavy inflows into spot ETFs and...

Next Post
edit post
Market Talk – September 12, 2025

Market Talk - September 12, 2025

edit post
Protecting Your Parental Rights: The Risks of Three-Strike Laws in Texas Child Custody

Protecting Your Parental Rights: The Risks of Three-Strike Laws in Texas Child Custody

  • Trending
  • Comments
  • Latest
edit post
What Happens If a Spouse Dies Without a Will in North Carolina?

What Happens If a Spouse Dies Without a Will in North Carolina?

September 14, 2025
edit post
California May Reimplement Mask Mandates

California May Reimplement Mask Mandates

September 5, 2025
edit post
Does a Will Need to Be Notarized in North Carolina?

Does a Will Need to Be Notarized in North Carolina?

September 8, 2025
edit post
DACA recipients no longer eligible for Marketplace health insurance and subsidies

DACA recipients no longer eligible for Marketplace health insurance and subsidies

September 11, 2025
edit post
‘Quiet luxury’ is coming for the housing market, The Corcoran Group CEO says. It’s not just the Hamptons, Aspen, and Miami anymore

‘Quiet luxury’ is coming for the housing market, The Corcoran Group CEO says. It’s not just the Hamptons, Aspen, and Miami anymore

September 9, 2025
edit post
Tips to Apply for Mental Health SSDI Without Therapy

Tips to Apply for Mental Health SSDI Without Therapy

September 19, 2025
edit post
Tel Aviv stocks maintain surge

Tel Aviv stocks maintain surge

0
edit post
The 3 Best Domestic Airlines for Frugal Travelers in 2025

The 3 Best Domestic Airlines for Frugal Travelers in 2025

0
edit post
The Sunday Morning Movie Presents: The Man Who Laughs (1928) Run Time: 1H 54M

The Sunday Morning Movie Presents: The Man Who Laughs (1928) Run Time: 1H 54M

0
edit post
Bitcoin Price Hits New ATH As Polymarket Traders Eye 0K

Bitcoin Price Hits New ATH As Polymarket Traders Eye $130K

0
edit post
Surprising Ways Grandparents Can Help Their Adult Children Without Enabling Debt

Surprising Ways Grandparents Can Help Their Adult Children Without Enabling Debt

0
edit post
Day Trading Rule #2 – Knowledge alone is NOT power in trading

Day Trading Rule #2 – Knowledge alone is NOT power in trading

0
edit post
Firefly Aerospace strengthens portfolio with 5 million deal for national security tech firm SciTec

Firefly Aerospace strengthens portfolio with $855 million deal for national security tech firm SciTec

October 5, 2025
edit post
Larry Summers praises Ford CEO Jim Farley’s concept of the essential economy because it doesn’t ‘fetishize manufacturing’

Larry Summers praises Ford CEO Jim Farley’s concept of the essential economy because it doesn’t ‘fetishize manufacturing’

October 5, 2025
edit post
When Privacy Becomes a Caregiver Issue: What Boomers Need to Know Now

When Privacy Becomes a Caregiver Issue: What Boomers Need to Know Now

October 5, 2025
edit post
Surprising Ways Grandparents Can Help Their Adult Children Without Enabling Debt

Surprising Ways Grandparents Can Help Their Adult Children Without Enabling Debt

October 5, 2025
edit post
I went to a day trading meetup and spoke to people with dreams of getting good enough to quit their 9-to-5

I went to a day trading meetup and spoke to people with dreams of getting good enough to quit their 9-to-5

October 5, 2025
edit post
OpenAI and Jony Ive may be struggling to figure out their AI device

OpenAI and Jony Ive may be struggling to figure out their AI device

October 5, 2025
The Adviser Magazine

The first and only national digital and print magazine that connects individuals, families, and businesses to Fee-Only financial advisers, accountants, attorneys and college guidance counselors.

CATEGORIES

  • 401k Plans
  • Business
  • College
  • Cryptocurrency
  • Economy
  • Estate Plans
  • Financial Planning
  • Investing
  • IRS & Taxes
  • Legal
  • Market Analysis
  • Markets
  • Medicare
  • Money
  • Personal Finance
  • Social Security
  • Startups
  • Stock Market
  • Trading

LATEST UPDATES

  • Firefly Aerospace strengthens portfolio with $855 million deal for national security tech firm SciTec
  • Larry Summers praises Ford CEO Jim Farley’s concept of the essential economy because it doesn’t ‘fetishize manufacturing’
  • When Privacy Becomes a Caregiver Issue: What Boomers Need to Know Now
  • Our Great Privacy Policy
  • Terms of Use, Legal Notices & Disclosures
  • Contact us
  • About Us

© Copyright 2024 All Rights Reserved
See articles for original source and related links to external sites.

Welcome Back!

Login to your account below

Forgotten Password?

Retrieve your password

Please enter your username or email address to reset your password.

Log In
No Result
View All Result
  • Home
  • Financial Planning
    • Financial Planning
    • Personal Finance
  • Market Research
    • Business
    • Investing
    • Money
    • Economy
    • Markets
    • Stocks
    • Trading
  • 401k Plans
  • College
  • IRS & Taxes
  • Estate Plans
  • Social Security
  • Medicare
  • Legal

© Copyright 2024 All Rights Reserved
See articles for original source and related links to external sites.