Norton 360 preinstalled a cryptocurrency miner software. 1
NPM supply chain security issues is again shown by how fast the corrupted changes in colors and fakers breaks many things 2
Matthew Green poked around the flawed random number generation logic in a cryptocurrency wallet 3
Orca discussed how to chain weaknesses in IAM setup in AWS Glue to compromise your cloud workload. 4
Fingerprinting goes to next level. 5
Footnotes
1. (15) Maxius on Twitter: "Norton is installing a Cryptocurrency miner called Norton Crypto (NCrypt.exe) on end user systems with out so much as a dialogue during the install of its security product." (twitter.com/mAxius)
See also:
2. Dev corrupts NPM libs 'colors' and 'faker' breaking thousands of apps (www.bleepingcomputer.com)
See also:
- research!rsc: What NPM Should Do Today To Stop A New Colors Attack Tomorrow (research.swtch.com)
- (cli): liberty liberty liberty? · Issue #18323 · aws/aws-cdk (github.com)
- Project may have been compromised. Large amount of ASCII art instead of lesson · Issue #327 · workshopper/javascripting (github.com)
- Package appears to be compromised. · Issue #786 · oclif/oclif (github.com)
3. An extremely casual code review of MetaMask’s crypto – A Few Thoughts on Cryptographic Engineering (blog.cryptographyengineering.com)
4. Superglue: Orca Security Research Team Discovers AWS Glue Vulnerability (orca.security)
See also:
5. Exploiting IndexedDB API information leaks in Safari 15 (fingerprintjs.com)
See also: