Socket (@SocketSecurity) “🚨 The popular PyPI package lightning has been compromised in a supply chain att” — TopicDigg
Socket
@SocketSecurity
Socket is the #1# software supply chain security platform. Next-gen SCA + SBOM + 0-day prevention. LOVED BY DEVELOPERS. 👀 @npm_malware
加入 November 2021
4.6K 正在关注 15.4K 粉丝
🚨 The popular PyPI package lightning has been compromised in a supply chain attack.
Socket detected malicious code in versions 2.6.2 and 2.6.3 that executes automatically on import, downloads Bun, and runs an 11 MB obfuscated JavaScript payload designed to steal credentials.
This appears to be connected to yesterday's mini Shai-Hulud attack, but we're still investigating. #Python#
显示更多
