> Humorously, the attacker accidentally published their entire directory structure for this attack in one of the gcc-builder versions. If we weren't confident in our assessment before, we can say without a shadow of a doubt that this is in fact XMR miner masquerading as GCC.<p>Cut him some slack. He's only 12.
Happy to see this on HN! I'm one of the co-founders @ Phylum.<p>We actively monitor and report on malware and software supply chain attacks across multiple ecosystems. Most notably, we were the first to identify and report on attacks carried out by North Korean state actors in NPM [1], prevented an early typosquat campaign against Rust developers on crates.io [2] and recently a faux email validation utility with a fairly complicated attack chain [3].<p>We've been monitoring npm the longest, and while I wouldn't classify this particular attack as complex or sophisticated, it's interesting in that it continues the trend of targeting build systems (and more generally, developers).<p>Our goal is to help clean up as many of these registries as possible, and to provide developers with the tooling to better protect themselves from attack. In doing so, we're open sourcing as many things as we can. We recently open sourced our sandbox [4] that helps lock down disk/networking/env during process execution and have baked this into our open source cli so you can do things like:<p><pre><code> phylum npm install <pkg>
</code></pre>
To be clear, this particular package did not execute code during install, so the sandbox wouldn't have come into play, but it would have been blocked by the pre-check against Phylum's API.<p>Would greatly appreciate any feedback on our extensions and suggestions for improving our sandbox! We recently had a few individuals submit some great issues and suggestions, which we absolutely loved receiving.<p>Happy to answer any questions about software supply chain attacks or security in general!<p>1. <a href="https://blog.phylum.io/junes-sophisticated-npm-attack-attributed-to-north-korea/" rel="nofollow noreferrer">https://blog.phylum.io/junes-sophisticated-npm-attack-attrib...</a><p>2. <a href="https://blog.phylum.io/rust-malware-staged-on-crates-io/" rel="nofollow noreferrer">https://blog.phylum.io/rust-malware-staged-on-crates-io/</a><p>3. <a href="https://blog.phylum.io/npm-emails-validator-package-malware/" rel="nofollow noreferrer">https://blog.phylum.io/npm-emails-validator-package-malware/</a><p>4. <a href="https://github.com/phylum-dev/birdcage">https://github.com/phylum-dev/birdcage</a><p>5. <a href="https://github.com/phylum-dev/cli">https://github.com/phylum-dev/cli</a>