lazarusholic

Everyday is lazarus.dayβ

Security alert: social engineering campaign targets technology industry employees

2023-07-18, Tay
https://github.blog/2023-07-18-security-alert-social-engineering-campaign-targets-technology-industry-employees/
#JadeSleet #NPM

Contents

Introducing passwordless authentication on GitHub.com
Passkeys are now available in public beta. Opting in lets you upgrade security keys to passkeys, and use those in place of both your password and your 2FA method.
GitHub has identified a low-volume social engineering campaign that targets the personal accounts of employees of technology firms. No GitHub or npm systems were compromised in this campaign. We’re publishing this blog post as a warning for our customers to prevent exploitation by this threat actor.
GitHub has identified a low-volume social engineering campaign that targets the personal accounts of employees of technology firms, using a combination of repository invitations and malicious npm package dependencies. Many of these targeted accounts are connected to the blockchain, cryptocurrency, or online gambling sectors. A few targets were also associated with the cybersecurity sector. No GitHub or npm systems were compromised in this campaign. We’re publishing this blog post as a warning for …

IoC

http://bi2price.com
http://coingeckoprice.com
http://cryptopriceoffer.com
http://npmaudit.com
http://npmjscloud.com
http://npmjsregister.com
http://npmrepos.com
http://tradingprice.net