Security vendor Sonatype detected 6933 malicious open source packages in the month of March alone, bringing the total discovered since 2019 to 115,165. Info-stealers comprised a significant number of these malicious components, including copycats of the popular W4SP stealer, such as one called “microsoft-helper” from an author self-described as “idklmao.” “The name of the package, microsoft-helper, might be the bad actors’ attempt to disguise its malicious nature, maybe with the goal of potentially adding it as a dependency of a popular package they’ve already owned,” Sonatype explained.
Read full article on Infosecurity