Vercel said the fallout from an attack on its internal systems hit more customers than previously known, as ongoing analysis uncovered additional evidence of compromise. 

The company, which makes tools and hosts cloud infrastructure for developers, maintains a “small number” of accounts were impacted, but it has yet to share a number or range of known incidents linked to the attack. Vercel created and maintains Next.js, a platform supporting AI agents that’s downloaded more than 9 million times per week, and other popular open-source projects. 

Vercel CEO Guillermo Rauch said the company and partners have analyzed nearly a petabyte of logs across the Vercel network and API, and learned malicious activity targeting the company and its customers extends beyond an initial attack that originated at Context.ai. 

“Threat intel points to the distribution of malware to computers in search of valuable tokens like keys to Vercel accounts and other providers,” Rauch said in a post on X. 

“Once the attacker gets ahold of those keys, our logs show a repeated pattern: rapid and comprehensive API usage, with a focus on enumeration of non-sensitive environment variables,” he added.

The attack exemplifies the widespread and compounded risk posed by interconnected systems that rely on OAuth tokens, trusted relationships and overly privileged permissions linking multiple services together.

“The real vulnerability was trust, not technology,” Munish Walther-Puri, head of critical digital infrastructure at TPO Group, told CyberScoop. “OAuth turned a productivity app into a backdoor. Every AI tool an employee connects to their work account is now a potential attack surface.”

An attacker traversed Vercel’s internal systems to steal and decrypt customer data, including environment variables it stored, posing significant downstream risk. 

The company insists the breach originated at Context.ai, a third-party AI tool used by one of its employees. Researchers at Hudson Rock previously said the seeds of that attack were planted in February when a Context.ai employee’s computer was infected with Lumma Stealer malware after they searched for Roblox game exploits, a common vector for infostealer deployments. 

Vercel has not specified the systems and customers data compromised, nor has it described the threat eradicated or contained. The company said it’s found no evidence of tampering across the software packages it publishes, concluding “we believe the supply chain remains safe.” 

The company fueled further intrigue in its updated security bulletin, noting that it also identified a separate “small number of customers” that were compromised in attacks unrelated to the breach of its systems. 

“These compromises do not appear to have originated on Vercel systems,” the company said. “This activity does not appear to be a continuation or expansion of the April incident, nor does it appear to be evidence of an earlier Vercel security incident.”

It’s unclear how Vercel became aware of those attacks and why it’s disclosing them publicly. 

Vercel declined to answer questions, and Mandiant, which is running incident response and an investigation into the attack, referred questions back to Vercel. 

Vercel has not attributed the breach to any named threat group or described the attackers’ objectives. 

An online persona identifying themselves as ShinyHunters took responsibility for the attack and is attempting to sell the stolen data, which they claim includes access keys, source code and databases. Austin Larsen, principal threat analyst at Google Threat Intelligence Group, said the attacker is “likely an imposter,” but emphasized the risk of exposure is real.

Walther-Puri warned that the downstream blast radius from the attack on its systems remains undefined. “Stolen API keys and source code snippets from internal views are potentially keys to customer production environments,” he said.

The stolen data attackers claim to have “sounds almost boring … but it’s infrastructure intelligence,” Walther-Puri added. “The right environment variable doesn’t just unlock a system — it lets adversaries become that system, silently, from the inside.”

The post Vercel attack fallout expands to more customers and third-party systems appeared first on CyberScoop.

Vercel customers are at risk of compromise after an attacker hopped through multiple internal systems to steal credentials and other sensitive data, the company said in a security bulletin Sunday. 

The attack, which didn’t originate at Vercel, showcases the pitfalls of interconnected cloud applications and SaaS integrations with overly privileged permissions. 

An attacker traversed third-party systems and connections left exposed by employees before it hit the San Francisco-based company that created and maintains Next.js and other popular open-source libraries. 

Researchers at Hudson Rock said the seeds of the attack were planted in February when a Context.ai employee’s computer was infected with Lumma Stealer malware after they searched for Roblox game exploits, a common vector for infostealer deployments.

Each of the companies are pinning at least some blame for the attack on the other vendor.

Context.ai on Sunday said that breach allowed the attacker to access its AWS environment and OAuth tokens for some users, including a token for a Vercel employee’s Google Workspace account. Vercel is not a Context customer, but the Vercel employee was using Context AI Office Suite and granted it full access, the artificial intelligence agent company said. 

“The attacker used that access to take over the employee’s Vercel Google Workspace account, which enabled them to gain access to some Vercel environments and environment variables that were not marked as sensitive,” Vercel said in its bulletin. 

The company said a limited number of its customers are impacted and were immediately advised to rotate credentials. Vercel, which declined to answer questions, did not specify which internal systems were accessed or fully explain how the attacker gained access to Vercel customers’ credentials. 

Vercel CEO Guillermo Rauch said customer data stored by the company is fully encrypted, yet the attacker got further access through enumeration, or by counting and inventorying specific variables. 

“We believe the attacking group to be highly sophisticated and, I strongly suspect, significantly accelerated by AI,” he said in a post on X. “They moved with surprising velocity and in-depth understanding of Vercel.”

A threat group identifying itself as ShinyHunters took responsibility for the attack in a post on Telegram and is attempting to sell the stolen data, which they claim includes access keys, source code and databases.

The attacker “is likely an imposter attempting to use an established name to inflate their notoriety,” Austin Larsen, principal threat analyst at Google Threat Intelligence, wrote in a LinkedIn post. “Regardless of the threat actor involved, the exposure risk is real.”

Vercel also warned that the attack on Context’s Google Workspace OAuth app “was the subject of a broader compromise, potentially affecting its hundreds of users across many organizations.” It published indicators of compromise and encouraged customers to review activity logs, review and rotate variables containing secrets.

Context and Vercel said their separate and coordinated investigations into the attack aided by CrowdStrike and Mandiant remain underway.

The post Vercel’s security breach started with malware disguised as Roblox cheats appeared first on CyberScoop.

OpenAI updated its security certificates and is requiring all macOS users to update to the latest versions after determining its products, along with many others, were impacted by a widespread supply-chain attack that briefly infected a popular open-source library in late March, the company said in a blog post Friday.

The artificial intelligence vendor said it “found no evidence that OpenAI user data was accessed, that our systems or intellectual property was compromised, or that our software was altered.”

Yet, because a GitHub workflow the company uses to sign certificates for macOS applications downloaded and executed a malicious version of Axios, the company is treating the soon-to-be defunct certificate as compromised.

A North Korean hacking group injected malware into two versions of Axios after it compromised the lead maintainer’s computer via social engineering and took over his npm and GitHub accounts. Jason Saayman, the lead maintainer for Axios, said the malicious versions of the software were live for about three hours before removal. 

Google Threat Intelligence Group, which tracks the threat group as UNC1069, said the impact of the attack was broad with ripple effects potentially exposing other popular packages. The JavaScript libraries flow into dependent downstream software through more than 100 million and 83 million downloads weekly. 

The attack was discovered just weeks after a series of other open-source tools, including Trivy, were compromised by UNC6780, also known as TeamPCP, resulting in aggressive extortion attempts. 

OpenAI insists the malware that infected Axios did not directly impact its certificate, which is designed to help customers confirm they are downloading legitimate software. 

“The signing certificate present in this workflow was likely not successfully exfiltrated by the malicious payload due to the timing of the payload execution, certificate injection into the job, sequencing of the job itself, and other mitigating factors,” the company said in the blog post. “Nevertheless, out of an abundance of caution we are treating the certificate as compromised, and are revoking and rotating it.”

Older versions of OpenAI’s macOS apps may lose functionality and will no longer be supported when the certificate is fully revoked May 8, the company said.

OpenAI, which hired a third-party digital forensics and incident response firm to aid its investigation and response, pinned the root cause of the security issue on a misconfiguration in its GitHub workflow. The company said it corrected that error and worked with Apple to ensure fraudulent apps posing as OpenAI cannot use the impacted certificate.

The 30-day window is designed to minimize disruption for users, but OpenAI said it will speed up the revocation deadline if it identifies any malicious activity. The company did not immediately respond to a request for comment.

The post OpenAI’s Mac apps need updates thanks to the Axios hack appeared first on CyberScoop.

SAN FRANCISCO — Mandiant is responding to a major, ongoing supply-chain attack involving the compromise of Trivy, a widely used open-source tool from Aqua Security that’s designed to find vulnerabilities and misconfigurations in code repositories.

The fallout from the attack spree, which was first detected March 19, is extensive and poses substantial risk for follow-on compromises and threatening extortion attempts. 

“We know over 1,000 impacted SaaS environments right now that are actively dealing with this particular threat campaign,” Charles Carmakal, chief technology officer at Mandiant Consulting said during a threat briefing held in conjunction with the RSAC 2026 Conference. “That thousand-plus downstream victims will probably expand into another 500, another 1,000, maybe another 10,000.”

Attackers stole a privileged access token and established a foothold in Trivy’s repository automation process by exploiting a misconfiguration in the tool’s GitHub Actions environment in late February, Aqua Security said in a blog post. 

On March 1, the company tried to block an ongoing breach by changing its credentials. They later realized the attempt failed, which allowed the attacker to stay in the system using valid logins. Attackers published malicious releases of Trivy on March 19.

“While this activity initially appeared to be an isolated event, it was the result of a broader, multi-stage supply-chain attack that began weeks earlier,” Aqua Security said in the blog post.

By compromising the tool, attackers gained access to secrets for many organizations, Carmakal said. “There will likely be many other software packages, supply-chain attacks and a variety of other compromises as a result of what’s playing out right now.”

Mandiant expects widespread breach disclosures, follow-on attacks and a variety of downstream impacts to play out over the next several months. 

The attackers, which the incident response firm has yet to name, are collaborating with multiple threat groups mostly based in the United States, Canada and United Kingdom. These cybercriminals “are known for being exceptionally aggressive with their extortion,” Carmakal said. “They’re very loud, they’re very aggressive.”

Mandiant is still working to identify the root of the initial attack. “We can’t quite tell how those credentials were stolen, because it is our belief that those credentials were not stolen from that victim’s environment,” Carmakal said. 

The credentials were likely stolen from another cloud environment, a business process outsourcer, partner or the personal computer of an engineer, he added. 

Aqua said Sygnia, which is investigating the attack and assisting in remediation efforts, identified additional suspicious activity Sunday involving unauthorized changes and repository changes — activity that is consistent with the attacker’s previously observed behavior.

“This development suggests that the incident is part of an ongoing and evolving attack, with the threat actor reestablishing access. Our investigation is actively focused on validating that all access paths have been identified and fully closed,” the company said.

Aqua, in its latest update Tuesday, said it is continuing to revoke and rotate credentials across all environments and claimed there is still no indication its commercial products are affected. 

Many attackers are currently weaponizing access and likely targeting additional victims, yielding to potential extortion attempts and the compromise of additional software, Carmakal said. 

“It’s going to be a different outcome for a lot of different organizations,” he said. “This will be a very concentrated focus of the adversaries and their expansion group of partners that they’re collaborating with right now.”

The post Experts warn of a ‘loud and aggressive’ extortion wave following Trivy hack appeared first on CyberScoop.

A maximum-severity vulnerability in pac4j, an open-source library integrated into hundreds of software packages and repositories, poses a significant security threat, but has thus far received scant attention.

The defect in the Java security engine, which handles authentication across multiple frameworks, has not been exploited in the wild since code review firm CodeAnt AI published a proof-of-concept exploit last week. The company discovered the vulnerability and privately reported it to pac4j’s maintainer, which disclosed the defect and released patches for affected versions of the library within two days.

Some researchers told CyberScoop they are concerned about the vulnerability — CVE-2026-29000 — because it affects a widely deployed Java security engine that attackers can exploit with relative ease.

“A threat actor only needs to access a server’s public RSA key to attempt exploitation,” researchers at Arctic Wolf Labs said in an email. 

These public keys, which are shared openly, are used to encrypt data and enable identity authentication. Attackers can trigger the defect and bypass authentication by forging a JSON Web Token (JWT) or deploy raw JSON claims via JSON Web Encryption (JWE) in pac4j-jwt to break into a system with the highest privileges.

“It is currently too early into the lifecycle of this vulnerability to tell if it will materialize into a major threat but the fact that it is a vulnerability in a library makes it more challenging to assess the potential risk,” researchers at Arctic Wolf Labs said. “Downstream consumers of the library may end up needing to issue their own advisories, as we’ve seen with other similar vulnerabilities in the past.”

Amartya Jha, co-founder and CEO at CodeAnt AI, warned that anyone with basic JWT knowledge can achieve exploitation. The vulnerability is a “logic flaw that no pattern-matching scanner or rule-based static application security testing tool would surface, because there’s no single line of code that’s wrong.”

The downstream security risk, as is often the case with open-source software, is widespread. The authentication module for pac4j is integrated into multiple frameworks, including Spring Security, Play Framework, Vert.x, Javalin and others, Jha said.

Many organizations may not realize they depend on pac4j-jwt because it’s not always declared in build files, he added. CodeAnt said it has contacted hundreds of maintainers in the past week to warn them that their packages and repositories are impacted by the vulnerability, which has a CVSS rating of 10.

Researchers haven’t observed any additional PoC exploit code, but they noted the exploit path is easy to reproduce. 

“The conditions for exploitation are favorable,” Jha said. “It’s pre-authentication, requires no secrets, the PoC is public, and the attack surface includes any internet-facing application or API gateway using the affected configuration. The window between public PoC and patch adoption is where the risk is highest.”

The post Critical defect in Java security engine poses serious downstream security risks appeared first on CyberScoop.

Talha Tariq and his colleagues at Vercel, the company that maintains Next.js, endured many sleep-deprived nights and weekends when React2Shell was discovered and disclosed soon after Thanksgiving. The defect, which affects vast stretches of the internet’s underlying infrastructure, posed a significant risk for Next.js, an open-source library that depends on vulnerable React Server Components.

He quickly realized he had a major problem to confront with CVE-2025-55182, a maximum-severity vulnerability affecting multiple React frameworks and bundlers that allows unauthenticated attackers to achieve remote code execution in default configurations. 

“It’s literally the very first layer that everybody on the internet interacts with, so from a risk perspective and exposure perspective it’s basically as bad as it could be,” Tariq, the company’s CTO, told CyberScoop.

Tariq and his team initiated and coordinated a massive response effort with major cloud providers, the open source community and technology vendors hours after a developer reported the defect to Meta, which initially created and maintained React before moving the open-source library to the React Foundation in October.

The React team publicly disclosed the flaw with a patch four days later, after Vercel and many other impacted providers implemented platform-level mitigations to minimize damages.

Vercel’s deep integration with and  understanding of React meant it had an outsized responsibility to investigate and share its findings across the industry. Doing so would help validate the patch’s effectiveness and ensure downstream customers understood the potential risk once the vulnerability was disclosed, Tariq said. 

“Nobody slept through the weekend, nobody slept through the night,” he said, adding that it was a 24/7 response for Vercel for a minimum of two weeks — extending beyond the vulnerability disclosure into a cat-and-mouse game with attackers seeking to exploit the defect or bypass the patch.

Cybercriminals, ransomware gangs and nation-state threat groups were all taking swift measures to exploit the vulnerability. 

Palo Alto Networks’ Unit 42 confirmed more than 60 organizations were directly impacted by attacks involving exploitation of the defect by mid-December. Valid public exploits also hit an all-time high, nearing 200 by that time, according to VulnCheck.

Malicious activity targeting React2Shell remains at a “sustained, elevated pace,” cybersecurity firm GreyNoise said in a Wednesday update. The company’s sensors have observed more than 8.1 million attempted attacks since the defect was disclosed, with daily volumes now ranging between 300,000 and 400,000 after peaking in the final weeks of December.

Vercel also responded to React2Shell with a quickly arranged HackerOne bounty program offering $50,000 for each verified technique that bypassed its web application firewall. More than 116 researchers participated, and Vercel ultimately paid out $1 million for 20 unique bypass techniques. 

The company said this work allowed it to block more than 6 million exploit attempts targeting environments running vulnerable versions of Next.js. Tariq said it was the “best million dollars spent,” considering the potential impact and exposure it contained.

Tariq doesn’t look back on the initial response toReact2Shell with regret. Instead, he sees it as motivation to address a persistent challenge rooted in coordination.

The burden to promptly address security issues with the broader community often falls on individuals like Tariq who relied on personal relationships to coordinate an industry-wide response. This involved direct contact and communication with security leaders at Google, Microsoft, Amazon and others, he said. 

“We have to do better as an industry and figure out a more sustaining way to do this,” Tariq said.

The post Inside Vercel’s sleep-deprived race to contain React2Shell appeared first on CyberScoop.

Attackers of different origins and motivations swiftly exploited a critical vulnerability dubbed React2Shell, affecting React Server Components shortly after Meta and the React team publicly disclosed the flaw with a patch Wednesday. 

Multiple security firms are responding to active exploitation in the wild as a scrum of reports conclude the malicious activity is limited to scanning and attempts instead of actual attacks. Yet, official word from the Cybersecurity and Infrastructure Security Agency is clear — the agency added CVE-2025-55182 to its known exploited vulnerabilities catalog Friday. 

Reaction to the deserialization vulnerability, which has a CVSS rating of 10 and allows unauthenticated attackers to achieve remote-code execution, has revealed a chasm in the cybersecurity research community. Threat analysts are mostly growing more concerned about downstream impacts, but some are urging defenders to respond with less urgency and restraint.

A debate over actual exploitation is muddying response efforts as some researchers say they’ve observed working proof of concepts and others assert legitimate PoCs are lacking. Nonetheless, real organizations have been impacted by attacks, according to multiple researchers investigating the fallout. 

Palo Alto Networks’ incident response firm Unit 42, watchTowr and Wiz told CyberScoop they’ve observed successful exploitation and follow-on malicious activity.

As of late Friday, Unit 42 has confirmed more than 30 organizations across various sectors are impacted. 

“Unit 42 observed threat activity we assess with high confidence is consistent with CL-STA-1015, also known as UNC5174, a group suspected to be an initial access broker with ties to the Chinese Ministry of State Security,” said Justin Moore, senior manager of threat intel research at Unit 42. 

“In this activity, we observed the deployment of Snowlight and Vshell malware, both highly consistent with Unit 42 knowledge of CL-STA-1015,” he added. 

More broadly, Moore said Unit 42 has “observed scanning for vulnerable remote-code execution, reconnaissance activity, attempted theft of Amazon Web Services configuration and credential files, as well installation of downloaders to retrieve payloads from attacker command and control infrastructure.”

Ben Harris, CEO and founder of watchTowr, said his team has observed indiscriminate exploitation, describing the malicious activity as rapid and prolific.

“Post-exploitation we’ve seen everything from basic extraction of credentials through to webshell deployments as a stepping stone to further activities,” Harris said. 

Multiple Wiz customer environments have been impacted by successful exploitation as well, according to Amitai Cohen, the company’s threat vector intel lead. 

“So far, we’ve observed deployments of cryptojacking malware and attempts to extract cloud credentials from compromised machines,” he said. “These early-stage activities are consistent with common post-exploitation objectives like resource hijacking and establishing further access.”

Researchers from multiple firms said attempted and successful exploitation has increased following the release of public PoCs. The potential scope of impact is significant, as 39% of cloud environments contain instances of React or Next.js, a separate open-source library that depends on React Server Components, running versions vulnerable to CVE-2025-55182, according to Wiz Research.

“The Next.js framework itself is present in 69% of environments, and 44% of all cloud environments have publicly exposed Next.js instances — regardless of the version running,” Cohen said.

Further complicating matters, Vercel, the company behind Next.js, disclosed and issued a patch Wednesday for its own maximum-severity vulnerability — CVE-2025-66478 — but the CVE was rejected because it’s a duplicate of the React defect, the root cause. 

Multiple threat groups are mobilizing resources to exploit the vulnerability for various objectives. 

“There are remote-code execution PoCs around now. It’s definitely already started, which means ransomware gangs follow. They don’t ignore opportunities for money,” Harris said.

Within hours of the public disclosure of the vulnerability, “Amazon threat intelligence teams observed active exploitation attempts by multiple China state-nexus threat groups, including Earth Lamia and Jackpot Panda,” CJ Moses, chief information security officer of Amazon Integrated Security, said in a blog post Thursday.

Unit 42 said it, too, is tracking attempted exploitation from several possible China-linked threat actors and cybercriminals. 

Automated, opportunistic exploitation attempts based on a publicly released PoC have been widespread, said Noah Stone, head of content at GreyNoise Intelligence. The firm’s sensors have captured malicious traffic originating from infrastructure in China, Hong Kong, the United States, Japan and Singapore targeting services based in the United States, Pakistan, India, Singapore and the United Kingdom, he said. 

VulnCheck’s decoy systems, which act as an early warning sign of vulnerability exploitation, have also observed exploitative scanning, said Caitlin Condon, the company’s vice president of research. “VulnCheck has been looking at patch rates on exposed Next.js apps, and we didn’t see a lot of patched systems,” she added.

Patching and mitigating the vulnerability isn’t without risk, either. Cloudflare said it experienced a temporary outage that was triggered by changes it made to its body parsing logic to detect and mitigate the vulnerability Friday.

As security researchers debate the viability of PoCs for the React vulnerability and visibility into actual attacks differs across the community, there’s no doubt the defect, which affects one of the most extensively used application frameworks, has captured sweeping interest and attention.

“This whole story is wild,” said Dustin Childs, head of threat awareness at Trend Micro’s Zero Day Initiative. “This has been a real rollercoaster.”

The post Attackers hit React defect as researchers quibble over proof appeared first on CyberScoop.

Security researchers and code developers are scrambling to patch and investigate a critical vulnerability affecting React Server Components, an open-source library used widely across the internet and embedded into many essential software frameworks.

The rapid response underscores the potential consequences of exploitation. Although no attacks have been observed or reported, researchers expect them soon and are urgently mobilizing resources to address the defect.

The vulnerability – CVE-2025-55182 – was discovered by Lachlan Davidson, a developer and lead of security innovation at Carapace, and reported to Meta on Saturday. Meta and the React team created a patch and worked with affected hosting providers to address the defect Monday before the public disclosure on Wednesday.

“The reason there’s been such a measured response to this vulnerability is because exploitation is inevitable,” Ben Harris, CEO and founder of watchTowr, told CyberScoop. “We should be expecting attackers to start exploiting this vulnerability truly imminently.” 

React is one of the most extensively used application frameworks, putting large swaths of web applications at risk. “Our data shows that these libraries can be found in vulnerable versions in around 39% of cloud environments,” said Amitai Cohen, threat vector intel lead at Wiz.

Researchers warn that exploitation of the deserialization defect is trivial and allows unauthenticated attackers to achieve remote code execution in default configurations, resulting in elevating privileges or pivots into other parts of a network. “The impact on the resources stored on that system could be devastating should things like access keys or other secrets or sensitive information be present,” said Stephen Fewer, senior principal researcher at Rapid7.

Prior to public disclosure, security researchers from Meta, which initially created and maintained React before moving the open-source library to the React Foundation in October, worked behind the scenes to notify affected organizations of the defect and shared temporary steps for mitigation such as web application firewall rules.

“While we are actively investigating and have no evidence that this vulnerability has been exploited at this time, we want to make all developers aware of this issue so they can implement the appropriate mitigations quickly,” a Meta spokesperson said in a statement.

The vulnerability affects multiple React frameworks and bundlers, including Next.js, React Router, Waku, Parcel RSC plugin, Vite RSC plugin, RedwoodJS and likely others that haven’t been identified yet, according to researchers. Vercel, the company behind Next.js, disclosed and issued a patch for its own maximum-severity vulnerability — CVE-2025-66478 — due to its dependency on React Server Components. 

Researchers from Wiz, Rapid7, watchTowr and other security firms warned that ensuing fallout from other frameworks or libraries that depend on React Server Components is likely, and long-tail impacts will persist in environments that are less maintained or difficult to update.

It’s unclear why Vercel assigned a separate CVE for Next.js since the upstream defect in React, CVE-2025-55182, is the root cause, but the vendor could be tracking impact on its own product, Fewer said. “It should not be necessary to assign a new CVE for each React-dependent framework, so long as the root cause remains the same as the original CVE-2025-55182 issue,” he added.

Cale Black, senior researcher at VulnCheck, said upstream dependency vulnerabilities tend to be handled on a per-project basis. “Projects with more mature security processes will release their own remediation guidance, and potentially over CVEs,” he said.

Meanwhile, threat hunters are steeling themselves for active exploitation and expect technical details and exploit code to be publicly available shortly. 

“With the entire internet looking at a solution that’s used everywhere to understand this vulnerability, someone will figure it out,” Harris said. “I have no doubt that by tomorrow morning, when I wake up, there will be easily one, if not more ways to reproduce this vulnerability.”

The post Developers scramble as critical React flaw threatens major apps appeared first on CyberScoop.

Security researchers and authorities are warning about a fresh wave of supply-chain attacks linked to a self-replicating worm that attackers have injected into almost 500 npm (node.js package manager) software packages, exposing more than 26,000 open-source repositories on GitHub.

The trojanized npm packages, which were first discovered late Sunday by Charlie Eriksen, security researcher at Aikido Security, were uploaded during a three-day period starting Friday and reference a new version of Shai-Hulud, malware that previously infected npm packages in September.

The campaign remains active and is compromising additional repositories, while others have been removed. Researchers haven’t observed downstream attacks originating from credentials stolen by the malware.

“However, because these credentials were publicly exposed on GitHub, it is highly likely that multiple threat actors already have access to them or will soon. This significantly increases the probability of downstream exploitation even if it has not yet appeared at scale,” Eriksen told CyberScoop.

The malware is propagating rapidly, using stolen npm tokens to infect additional packages at a level of automation and scale that is substantially higher than its previous version, approaching near self-sufficiency, Eriksen added. 

Major packages including Zapier, ENS Domains, PostHog and Postman were trojanized, allowing the attackers to populate GitHub repositories with stolen victim data, according to Wiz. Some of the packages are present in about 27% of cloud and code environments, the security firm said in a blog post Monday.

“We’ve observed multiple environments where these trojanized packages were downloaded before their removal from npm, suggesting active real-world exposure,” Merav Bar, threat researcher at Wiz, told CyberScoop. “As we saw in past attacks, we expect to see a long tail of exploitation of the exposure across both the initial and opportunistic attackers.”

The previous and current wave of Shai-Hulud attacks appear to be focused on stealing developer secrets that can be used for deeper supply-chain compromise, Bar added.

“Both waves of Shai-Hulud show how easy it is for attackers to weaponize trusted distribution paths, push malicious versions at scale, and reach thousands of downstream developers before anyone realizes something is wrong,” she said.

The timing of the latest Shai-Hulud campaign was opportunistic as well, hitting repositories just weeks before npm, a company GitHub acquired in 2020, plans to revoke classic tokens as part of a push to institute more strict security practices broadly. “This campaign would be significantly limited if these security implementations were in place,” Eriksen said.

The latest variant of Shai-Hulud creates malicious files during the preinstall phase, including a randomly named public repository containing stolen data. While the attacker references Shai-Hulud and activities resemble the previous worm, researchers at Wiz said there are some differences and attribution has not been fully confirmed.

Ron Peled, chief operating officer and co-founder of Sola Security, described npm as a low-friction package ecosystem, which makes it an appealing target for attackers. Moreover, he said, developers’ endpoints and CI/CD environments are often a blind spot for endpoint detection and response and anti-malware tools.

“Developers often store GitHub tokens, npm tokens or cloud secrets in environment variables,” Peled said. “Build systems almost always have access to powerful tokens and the malware only needs one of them to propagate.”

Attackers target open-source software for supply-chain attacks frequently, and the latest campaign marks yet another attack specifically targeting npm. Attacks are gaining maturity and complexity, building upon previous success, said Melissa Bischoping, senior director of security and product design research at Tanium. 

“Last year, everyone zeroed in on the XZ Utils compromise and how supply-chain compromise of a single open-source project could potentially hijack the entire world. In early September we had simple cryptojacking which was mostly a non-issue, but then that was quickly followed by the Shai-Hulud worm which stole credentials and further compromised security,” she added. 

“The pattern emerging is that attackers have identified open-source developers as high-value targets and have had massive success in just the last year,” Bischoping said. “Developers, even hobbyist ones, need to be prepared for continued attacks and escalation.”

The post Shai-Hulud worm returns stronger and more automated than ever before appeared first on CyberScoop.

Open-source components power nearly all modern software, but they’re often buried deep in massive codebases—hiding severe vulnerabilities. For years, software bills of materials (SBOMs) have been the security community’s key tool to shine a light on these hidden risks. Yet, despite government advancements in the US and Europe, SBOM adoption in the private sector remains sluggish. Now, some experts warn that the rapid rise of AI-assisted coding could soon eclipse the push to make software supply chains more transparent.

“I’m a strong, strong supporter of SBOM, and yet we have this emerging thing that’s happening that fundamentally undermines everything that we’ve been working towards,” Sounil Yu, chief AI officer of Knostic, told CyberScoop. “It is not a far-away future where we should expect to see a near infinite number of varieties of [CVE-free software packages] that AI coding systems are going to generate.”

Yu’s optimistic vision, while shared by some, is roundly rejected by many veteran SBOM and software security experts, who say there will likely never be a day when AI can produce vulnerability-free software. 

“People are imagining a future where there are no open-source dependencies or there are no reused dependencies, and therefore there’s nothing to put in an SBOM because every piece of the code is bespoke,” Brian Fox, the co-founder and CTO of Sonatype, told CyberScoop. “I think that’s kind of insane.”

Where SBOM policy stands

Developed under an executive order issued under President Joe Biden, the National Telecommunications and Information Administration (NTIA) released the US government’s first official software SBOM document, The Minimum Elements For a Software Bill of Materials (SBOM), in July 2021. That foundational effort was subsequently transferred to the Cybersecurity and Infrastructure Security Agency (CISA).

According to Allan Friedman, who is widely considered the “father” of SBOM and spearheaded that document’s creation, Biden’s order was also clearly intended for SBOMs to be mandated for federal government suppliers under the FAR [Federal Acquisition Regulation], which could have created a transparency floor for all software providers looking to sell into the federal government.

However, neither the National Institute of Standards and Technology (NIST) nor the Office of Management and Budget (OMB) fully spelled out what that requirement would look like, and the hoped-for FAR requirement ended up merely as part of a required software attestation form, according to Friedman, who is now a senior technical adviser at the Institute for Security and Technology (IST).

Two recent developments at CISA have fostered hopes for more widespread and robust SBOMs. On Aug. 22, the agency opened a public comment period for an SBOM guide that aims to update the NTIA document to reflect evolving SBOM practices.

On Sept. 3, CISA, in collaboration with NSA and 19 international partners, released joint guidance outlining the “growing international consensus” for what an SBOM should look like. Participants called the guidance “a significant step forward in strengthening software supply chain transparency and security worldwide.”

As promising as some may find these developments, some experts believe they represent the last vestiges of the Biden administration’s work. Former CISA employee Josh Corman, now an executive in residence for public safety and resilience at IST, told CyberScoop that the minimum elements update and the international framework were actions akin to “the body continuing to move without its head just because of prior commitments to the [Biden] White House.” 

While SBOM work has stalled under the Trump administration, other experts believe there is more is to come from CISA. “[CISA official] Nick Andersen and [CISA director nominee] Sean Plankey are both supporters of these initiatives,” NetRise co-founder and CEO Tom Pace told CyberScoop. He added, “I know that directly. I also know that we have multiple contracts with the federal civilian agencies, including CISA, that are moving forward for SBOM.”

 CISA insists that it has not slowed its work on SBOM—its efforts have increased.

“We are actively involved in several SBOM-related initiatives, including the G7 Cybersecurity Working Group’s Software Bill of Materials for Artificial Intelligence and the review of nearly 100 public comments on our draft SBOM Minimum Elements,” CISA Director of Public Affairs Marci McCarthy told CyberScoop in a statement. “The recently released Shared Vision of SBOM highlights and reinforces our operational collaboration in action with both international and domestic partners to advance the use of SBOMs.”

Aside from CISA’s actions, other developments at the federal level promise to further advance SBOM. The Consolidated Appropriations Act of 2023 amended the Food, Drug, and Cosmetic Act to mandate SBOMs as part of premarket submissions for healthcare devices at the FDA. In 2023, the Pentagon issued guidance that contains recommendations for SBOM management as part of the military’s supply chain risk management strategy.

On the international level, the EU parliament adopted the Cyber Resilience Act (CRA) in March 2024, which will require all manufacturers and distributors of digital products to share a top-level SBOM with market surveillance authorities as part of the technical documentation provided. The legislation calls for these requirements to take effect in December 2027.

Private sector barriers to SBOM adoption

Even with these advancements, most software providers still don’t provide SBOMs, and most organizations don’t demand them from their suppliers. Black Duck’s latest annual analysis found that 86% of commercial codebases contain open-source vulnerabilities, with 81% carrying high- or critical-risk flaws. Meanwhile, 95% of websites continue running outdated software with known issues.

“Surveys are showing that only 30% of people are doing anything about this,” Sonatype’s Fox said.  “And that’s largely because it’s optional.” 

Corman thinks most organizations find transparency “existentially terrifying.” 

“They have license risks where they’re violating terms and conditions of open-source licenses that can be exposed in lawsuits, and they’re not prone to out themselves voluntarily,” he said. 

Along the same lines, Steve Springett, chair of the CycloneDX Core Working Group and board vice chair of the OWASP Foundation, told CyberScoop that many organizations fear the legal ramifications of disclosing flaws in their software. “The legal departments in a lot of organizations really don’t want them to unnecessarily disclose more information than what is required for normal business activities.”

Nilesh Jain, co-founder and CEO of cybersecurity startup CleanStart, told CyberScoop, “Most companies that we interact with are still trying to figure out the best way to start generating SBOMs. Some of the largest enterprises and banks and financing institutions still don’t use it.”

Cyber vulnerability expert Art Manion points to the so-called “naming problem,” where there are so many versions of software out there that span multiple years, which are tracked using numerous forms of syntax, that it becomes overwhelming to account for this multiplicity in an SBOM framework. 

“Fundamentally, we really are still blocked by not uniformly calling software the same things,” Manion told CyberScoop. “No single source can spend enough time or money or be fast enough to collect and name all the software and keep track of it.”

Friedman, however, thinks this naming problem can be solved “with a little bit of intelligence on the pattern-matching side of things. Instead of trying to build a tool that matches exact string to exact string, we can do some fuzzy matching with a little bit of data science,” he said.

Will generative AI eliminate the need for SBOMs?

While progress on SBOM is slow, there is a simultaneous surge in the adoption and hype cycle of AI-based coding assistants. Some experts believe these tools will reduce or even eliminate software vulnerabilities.

“I’ve created code myself where I’ve instructed my AI coding assistant to go build me some software and not use any software dependencies whatsoever,” Knostic’s Yu told CyberScoop, suggesting that avoiding dependencies can also help prevent vulnerabilities found in those libraries from being included in new software. “You can reference the entirety of open source as a template for what to build, but do not actually use any open-source libraries.”

CycloneDX’s Springett agrees with Yu. “It can be done,” he told CyberScoop. “It’s just not being done today, but it can be done. I’ve seen it being done. In the short term, AI is going to propel the number of first-party vulnerabilities that we create. But in the longer term, AI will be a good peer code reviewer and code author, and will always be on the lookout for insecure code and suggest safer alternatives to developers.”

Opinions on whether AI can create vulnerability-free systems are sharply divided. “It’s absolutely not possible,” Manion said. “I have seen no evidence that AI is going to write secure software.”

“That’s basically saying everything we’ve learned in software engineering over the last 60-plus years is just tossed out the window, and none of those things matter,” Sonatype’s Fox said. “If you want to recreate the wheel and make all the same mistakes, good luck, man.”

“I don’t think it’s possible,” Biswajit De, co-founder and CTO of CleanStart, told CyberScoop. “It is physically impossible to give everything in your prompts to create vulnerability-free code.”

Friedman is skeptical as well. 

“I have a hard time imagining any tool that is trained in the JavaScript or the node package management system, which is heavily reliant on thousands of dependencies, just then turning around and saying, ‘Well, we can write code without dependencies,’ or if they are writing code, it will use those dependencies in practice,” he told CyberScoop. 

He added, “AI-generated code will get better. Anyone who looks at what is being produced today will say, ‘Oh, that’s impressive.’ But large code bases tend to get unwieldy very quickly. You can use AI to try to find and detect vulnerabilities as you write them, but people do that today. There’s nothing magic about AI compared to today’s tools or the future tools.”

The post The slow rise of SBOMs meets the rapid advance of AI appeared first on CyberScoop.