New Hak5 Video Discusses Major Software Supply Chain Attack and AI in Code Development

The video begins with a discussion about a major software supply chain attack that occurred on Monday, September 8. This attack targeted a set of 18 NPM packages, which are essential to the NPM and JavaScript ecosystem, with an average of over 2 billion downloads per week. These packages were created or maintained by Josh Junan, known as QIX- on GitHub. The attack was detected by the Iikido Security team, who quickly noticed the changes deployed in the packages. The modifications to the packages contained highly obfuscated code that intercepted API calls to rewrite crypto transactions and empty wallets. Josh Junan admitted to falling victim to a convincing phishing attack. The phishing email posed as a request from NPM to update his 2FA information, leading to the loss of control over his NPM account. The attackers then accessed the packages and injected malicious code. Thanks to the rapid intervention of the Iikido Security team, the malicious packages were removed and updated to remove the malicious code, and Josh was able to regain access to his NPM account. The video also addresses the impact of using AI in code development. A recent study by the Appro team revealed a significant increase in security vulnerabilities in AI-generated code. While AI reduces trivial syntax errors and logical bugs, it also introduces privilege escalation paths and architectural design flaws. These vulnerabilities are harder to detect with traditional analysis tools, highlighting the need to develop security solutions tailored to the AI era. Another topic discussed is the discovery of three incorrectly issued TLS certificates that have been in operation for several months. These certificates were issued for the IP address 1.1.1.1, dedicated to Cloudflare's content delivery network and the Asia-Pacific Network Information Center Internet Registry. The certificates were issued by FINA RDC 2020, a certificate authority part of Microsoft's root certificate program. Although these certificates are recognized by Microsoft Edge, they are not recognized by Chrome, Firefox, or Safari. Microsoft is currently working to block these malicious certificates. The video concludes with a call to action for viewers, encouraging them to share their experiences with using AI in code development and to remain vigilant against emerging security threats.