Zum Inhalt springen.
Sympa Menü

it-securitynotifies - [IT-SecNots] [Security-news] Third-Party Libraries and Supply Chains - PSA-2025-09-17

it-securitynotifies AT lists.piratenpartei.de

Betreff: Sicherheitsankündigungen

Listenarchiv

[IT-SecNots] [Security-news] Third-Party Libraries and Supply Chains - PSA-2025-09-17


Chronologisch Thread  
    < Chronologisch >       < Thread >
  • From: security-news AT drupal.org
  • To: security-news AT drupal.org
  • Subject: [IT-SecNots] [Security-news] Third-Party Libraries and Supply Chains - PSA-2025-09-17
  • Date: Wed, 17 Sep 2025 20:30:10 +0000 (UTC)
  • Authentication-results: lists.piratenpartei.de; dkim=pass header.d=drupal.org header.s=default header.b=DLfTdJE3; spf=pass (lists.piratenpartei.de: domain of security-news-bounces AT drupal.org designates 140.211.166.137 as permitted sender) smtp.mailfrom=security-news-bounces AT drupal.org; dmarc=pass (policy=none) header.from=drupal.org
  • Dkim-filter: OpenDKIM Filter v2.11.0 smtp4.osuosl.org 9A596417EA
  • Dkim-filter: OpenDKIM Filter v2.11.0 smtp3.osuosl.org AADDC61736
  • List-archive: <http://lists.drupal.org/pipermail/security-news/>
  • List-id: <security-news.drupal.org>
View online: https://www.drupal.org/psa-2025-09-17

Date: 2025-September-17
Description: 
.... Supply-chain attack via maintainer account takeover

NPM [1] packages have been targeted in maintainer account takeover attacks.
Attackers have deployed an automatic credential scanning tool. The scanning
tool tries to find secret keys that may have been published to public systems
like build automation and continuous integration (CI) systems and sends such
credentials back to the attacker. From there, the vulnerable NPM packages are
downloaded, modified to insert a trojan-like script bundle, and then
republished. These maliciously modified packages can then be used to exploit
any application that has installed these packages.

Coverage and advice on remediation:

* The Hacker News - 40 NPM Packages Compromised [2]
* Socket.dev - Supply Chain Attack [3]
* Aikido - S1ngularity/nx attackers strike again [4]
* Aikido - npm debug and chalk packages compromised [5]
* Wiz.io - Shai-Halud npm supply chain attack [6]

While this attack has targeted NPM packages, the same strategy could be used
to exploit other packages as well.

.... Managing supply-chain security

Website owners should actively manage their dependencies, potentially
leveraging a Software Bill of Materials (SBOM) or scanner services. Other
relevant tools include CSP [7] and SRI [8].

It is the policy of the Drupal Security Team that site owners are responsible
for monitoring and maintaining the security of third-party libraries and any
non-Drupal components of the stack. In rare cases, the Drupal Security Team
will post an informational public service announcement [9] (PSA) such as this
one, but the remit of the Drupal Security Team remains limited to code hosted
on Drupal.org’s systems. Previous PSAs on third-party code in the Drupal
ecosystem include:

* External libraries and plugins - PSA-2011-002 [10]
* Various Third-Party Vulnerabilities - PSA-2019-09-04 [11]
* Third-Party Libraries and Supply Chains - PSA-2024-06-26 [12]

.... Impact to the Drupal project itself

Drupal's infrastructure maintainers, the Drupal Security Team, and Drupal
core maintainers have received tips about this situation from several
sources. Individuals in those groups have evaluated their exposure and we
believe the Drupal project itself is not affected by this issue. If you have
information about concerns that Drupal is affected please reach out to us
[13].

/This post is likely to be be updated as the situation evolves and more
information is available./

Reported By: 
* nicxvan [14]

Coordinated By: 
* Greg Knaddison (greggles) [15] of the Drupal Security Team
* Tim Hestenes Lehnen (hestenet) [16]
* Dave Long (longwave) [17] of the Drupal Security Team
* Drew Webber (mcdruid) [18] of the Drupal Security Team
* Jess (xjm) [19] of the Drupal Security Team
* cilefen [20] of the Drupal Security Team

------------------------------------------------------------------------------
Contribution record [21]

[1] https://www.npmjs.com
[2] https://thehackernews.com/2025/09/40-npm-packages-compromised-in-supply.html
[3] https://socket.dev/blog/ongoing-supply-chain-attack-targets-crowdstrike-npm-packages
[4] https://www.aikido.dev/blog/s1ngularity-nx-attackers-strike-again
[5] https://www.aikido.dev/blog/npm-debug-and-chalk-packages-compromised
[6] https://www.wiz.io/blog/shai-hulud-npm-supply-chain-attack
[7] https://developer.mozilla.org/en-US/docs/Web/HTTP/CSP
[8] https://developer.mozilla.org/en-US/docs/Web/Security/Subresource_Integrity
[9] https://www.drupal.org/security/psa
[10] https://www.drupal.org/node/1189632
[11] https://www.drupal.org/psa-2019-09-04
[12] https://www.drupal.org/psa-2024-06-26
[13] https://www.drupal.org/docs/develop/issues/issue-procedures-and-etiquette/reporting-a-security-issue
[14] https://www.drupal.org/u/nicxvan
[15] https://www.drupal.org/u/greggles
[16] https://www.drupal.org/u/hestenet
[17] https://www.drupal.org/u/longwave
[18] https://www.drupal.org/u/mcdruid
[19] https://www.drupal.org/u/xjm
[20] https://www.drupal.org/u/cilefen
[21] https://new.drupal.org/contribution-record?source_link=https%3A//www.drupal.org/node/3547270

_______________________________________________
Security-news mailing list
Security-news AT drupal.org
Unsubscribe at https://lists.drupal.org/mailman/listinfo/security-news

  • [IT-SecNots] [Security-news] Third-Party Libraries and Supply Chains - PSA-2025-09-17, security-news, 17.09.2025

Archiv bereitgestellt durch MHonArc 2.6.19+.

Seitenanfang