Treasury says Chinese hackers stole documents in 'major incident'

Welcome to the latest edition of Chainmail: Software Supply Chain Security News, which brings you the latest software security headlines from around the world, curated by the team at ReversingLabs.

This week: A leaked API key helped Chinese state-sponsored hackers breach the U.S. Treasury. Also: New 'OtterCookie' malware used to backdoor devs in fake job offers.

This Week’s Top Story

Treasury says Chinese hackers stole documents in 'major incident'

Chinese state-sponsored hackers managed to breach the U.S. Department of Treasury by compromising BeyondTrust, a third-party cybersecurity service provider of the department, in early December. Hackers stole the documents from the Treasury, but they were unclassified.?

In a letter from the Department to U.S. lawmakers, officials shared that the incident occurred when hackers gained access to an API key used by BeyondTrust to secure a cloud-based service used by Treasury’s end-users. Because the API key was exposed, attackers were able to “override the service’s security, remotely access certain Treasury Department Office user workstations, and access certain unclassified documents maintained by those users," the letter stated.?

Upon learning of the security incident, BeyondTrust notified customers involved, as well as law enforcement, the company told Reuters. Since being notified, the Treasury Department has been working closely with the Cybersecurity and Infrastructure Security Agency (CISA) and the FBI to resolve the issue.?

SentinelOne threat researcher Tom Hegel told Reuters that this particular incident "fits a well-documented pattern of operations by PRC-linked groups, with a particular focus on abusing trusted third-party services — a method that has become increasingly prominent in recent years.”

Stealing sensitive software secrets, such as API keys is a proven way that hackers can target organizations’ software supply chains for malicious purposes. Organizations wishing to remain free of such attacks should employ robust secrets management – both for their software development and third-party software?– to minimize risk.?

(Reuters)?

This Week’s Headlines

'OtterCookie' malware used to backdoor devs in fake job offers

A new development has surfaced in the malicious campaign known as Contagious Interview, which began as early as December 2022 by North Korean threat actors. The campaign has been targeting developers across several open-source platforms with fake job interviews that deliver various malware strains. In this most recent development, researchers at Palo Alto Networks have discovered a new malware known as OtterCookie being used. In the case of OtterCookie, the malware is delivered via Node.js projects or npm packages downloaded from GitHub or BitBucket. (BleepingComputer)

GitHub has a major problem with fake rankings

Similar to likes on social media, users on GitHub can give stars to repositories as a show of support. With more stars, repositories rise in GitHub’s global ranking system and recommendations. While the star system GitHub uses is beneficial in some cases, it does present serious security risks. New research shows that there are currently 4.5 million fake stars on GitHub, many likely stemming from malicious actors creating automated GitHub accounts to artificially give stars to malware-laden repositories. (Tech Radar)

Open source in 2025: Strap in, disruption straight ahead

The New Stack team has shared its predictions for the future of open source software (OSS) in 2025. Developments to consider include increasing turbulence from consolidation in the cloud native ecosystem, and how open-source artificial intelligence (AI) is defined, especially in the wake of the Open Source Initiative releasing v1.0 of its formal definition. Security experts are concerned that cyber attackers will continue to exploit open-source platforms in more complex ways that rely on AI, which they believe calls for the adoption of new tooling that can detect such threats. The security of these platforms is also in question because of the lack of compensation maintainers receive beyond “GitHub stars and kissy-face emojis.” (The New Stack)

CISOs don’t invest enough in code security

Cycode researchers found that 72% of security leaders see AI as necessitating a complete reset of how organizations approach application security (AppSec). With an estimate of 93 billion lines of code generated in part by GenAI coding tools in the past year alone, the researchers stress that the problem has reached a critical mass. In addition, IDC researchers confirm Cycode’s findings, and highlight that insecure AI-generated code ranks among the top AppSec challenges for organizations in 2024. “As development and threat environments grow more complex, strengthening code security is crucial to safeguarding innovation efforts,” said Katie Norton , Research Manager at IDC. See this RL webinar where Norton discusses IDC’s findings in full. (HelpNet Security)

For more insights on software supply chain security, see the RL Blog.?

The Best of RL

Blog | 8-K cybersecurity-incident disclosures to the SEC: A 2024 timeline

Here’s what the filings are all about, plus key insights into attack trends — and the bigger picture for cybersecurity. [Read It Now]?

Blog | OSS in the crosshairs: Cryptomining hacks highlight key new threat

RL research has found that hacks of rspack and vant highlight the growing trend of cryptomining compromises spreading via top open-source packages. [Read It Now]?

Webinar | Inside the Code: Uncovering Q4’s Alarming Supply Chain Threats

Thursday, Jan 9 at 11 am ET

As we enter 2025, cyber threats to the software supply chain continue to evolve, exploiting popular platforms and tools to infiltrate systems and disrupt workflows. In this Q4 threat research roundup, join threat research experts from RL as they dissect the most significant findings of the last quarter. [Save Your Seat]?

For more great conversations to watch, see RL’s on-demand webinar library.