A03 Feedback #818
A03 Feedback #818
Conversation
|
|
||
|
|
||
| * The 2025 Bybit theft of $1.5 billion caused by a supply chain attack in wallet software that only executed when the target wallet was being used. https://thehackernews.com/2025/02/bybit-hack-traced-to-safewallet-supply.html | ||
| * The 2025 Bybit theft of $1.5 billion was caused by [a supply chain attack in wallet software](https://www.sygnia.co/blog/sygnia-investigation-bybit-hack/) that only executed when the target wallet was being used. |
There was a problem hiding this comment.
This change is to replace a news piece rewriting research with one of the original incident response analysis pieces.
| * The 2025 Bybit theft of $1.5 billion was caused by [a supply chain attack in wallet software](https://www.sygnia.co/blog/sygnia-investigation-bybit-hack/) that only executed when the target wallet was being used. | ||
|
|
||
| **Scenario #3:** The GlassWorm supply chain attack in 2025 against the VS Code marketplace has malicious actors implement invisible, self-replicating code into a legitimate extension in the VS Marketplace, as well as several extensions in the OpenVSX Marketplace, which auto-updated onto developer machines. The worm immediately harvested local secrets from the developer machines, attempted to establish command and control, as well as emptied developer’s crypto wallets if possible. This supply chain attack was extremely advanced, fast-spreading, and damaging, and by targeting developer machines it demonstrated developers themselves are now prime targets for supply chain attacks. | ||
| **Scenario #3:** The [`Shai-Hulud` supply chain attack](https://www.cisa.gov/news-events/alerts/2025/09/23/widespread-supply-chain-compromise-impacting-npm-ecosystem) in 2025 was the first successful self-propagating npm worm. Attacks seeded malicious versions of popular packages, which used a post-install script to harvest and exfiltrate sensitive data to public GitHub repositories. The malware would also detect npm tokens in the victim environment, and automatically use them to push malicious versions of any accessible package. The worm reached over 500 package versions before being disrupted by npm. This supply chain attack was advanced, fast-spreading, and damaging, and by targeting developer machines it demonstrated developers themselves are now prime targets for supply chain attacks. |
There was a problem hiding this comment.
GlassWorm has been debunked: https://mikael.barbero.tech/blog/post/2025-10-27-openvsx-security-update/
Around the same time, a separate report from Koi Security described a new malware campaign that leveraged some of these leaked tokens to publish malicious extensions. The report referred to this as a “sel”-propagating worm,” drawing comparisons to the ShaiHulud incident that impacted the npm registry in September. While the report raises valid concerns, we want to clarify that this was not a self-replicating worm
"GlassWorm" also had no actual real world impact reported.
Shai-Hulud is a more impactful, real example of a worm.
Happy to propose additional high signal / concrete examples if the goal is to also highlight the IDE ecosystem
|
|
||
|
|
||
| * CVE-2017-5638, a Struts 2 remote code execution vulnerability that enables the execution of arbitrary code on the server, has been blamed for significant breaches. | ||
| * While the internet of things (IoT) is frequently difficult or impossible to patch, the importance of patching them can be great (e.g., biomedical devices). |
There was a problem hiding this comment.
It's not clear to me that this discussion of IoT is relevant to OWASP Top 10, and I think it is less timely than it was in past versions.
Added Log4Shell as a slightly more recent complement to Struts2
1 participant
Using a PR to outline a variety of feedback on A03
Happy to break things out, or just let this be used as a conversation starter.
I'll leave comments on non-grammatical / language changes