npm Ecosystem Hit by Large-Scale Poisoning: TanStack, Mistral AI, UiPath Affected, Can Steal Cloud Keys and GitHub Tokens
AI HOT 精选3997 字 (约 16 分钟)
92
A large-scale supply chain attack hit the npm ecosystem, affecting over 160 packages including TanStack, Mistral AI, and UiPath; attackers used GitHub Actions vulnerabilities and OIDC tokens to publish malicious code under trusted identities.
入选理由:攻击者利用 GitHub Actions 的 pull_request_target 漏洞与跨 fork 缓存投毒,绕过双重验证完成恶意发布。
FeaturedArticle#npm#supply chain attack#GitHub Actions#security vulnerability#open source ecosystem中文