@papa
Second such supply chain attack in as many weeks
DEFENCE
Use Firewall: https://socket.dev/features/firewall
Pin dependencies to safe versions
Downgrade NOW: Pin to safe versions - [email protected] (1.x) or [email protected] (0.x)
Assume compromise: If systems have installed the affected axios versions, assume they are compromised Security Online
Rotate all secrets, API keys, and credentials stored on or accessed by exposed machines
Commit lockfiles: Always commit and use lockfiles (package-lock.json) with npm ci instead of npm install
Package cooldown: Block newly published npm packages during a configurable cooldown window since most malicious packages are identified within 24 hours Stepsecurity
Disable lifecycle scripts: Use npm install --ignore-scripts in CI environments to prevent malicious postinstall scripts from running Security Online
Use pnpm security controls: pnpm blocks lifecycle scripts by default and doesn't implicitly trust and execute arbitrary code from packages pnpm
Network allowlisting: Enforce egress allowlists in CI/CD to block C2 callbacks
Secret scanning: Enable GitHub Secret Scanning alerts and Dependabot security updates
Pre-merge scanning: Automate security checks on every pull request
0 reply
0 recast
2 reactions