DigiNews

Summary

SafeDep analyzes a supply-chain attack where the atool npm account published 637 malicious versions across 317 packages in two automated waves, deploying a 498KB obfuscated Bun-based payload. The incident leverages credential harvesting across CI/CD environments, exfiltration via GitHub API, CI/CD workflow injections, and Sigstore-assisted code signing, with persistence through multiple layers and a GitHub dead-drop C2. The article provides IoCs, remediation guidance, and calls for lockfile pinning, credential rotation, and thorough pipeline auditing.