forked from IQTLabs/software-supply-chain-compromises
-
Notifications
You must be signed in to change notification settings - Fork 0
/
Copy pathsoftware_supply_chain_attacks.csv
We can make this file beautiful and searchable if this error is corrected: It looks like row 134 should actually have 19 columns, instead of 20 in line 133.
162 lines (161 loc) · 56.4 KB
/
software_supply_chain_attacks.csv
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
initial_compromise_date,detection_date,report_date,number_of_attacks,technology,description,reference,comments,build_system_compromise,source_code_compromise,firmware_implant,certificate_attack,delivery_system_compromise,account_takeover,dependency_compromise,malicious_package,typosquatting,attack_major_category,attack_minor_category
12/2/03,12/2/03,12/3/03,1,Gentoo,One of the servers that makes up the rsync.gentoo.org rotation was compromised via a remote exploit.,https://archives.gentoo.org/gentoo-announce/message/7b0581416ddd91522c14513cb789f17a,,0,0,0,0,1,0,0,0,0,"Build, Source, and Publishing Infrastructure Attack",Publishing Infrastructure: Delivery System Compromise
unknown,8/15/08,8/22/08,1,Fedora,Fedora servers were illegally accessed. One of the compromised Fedora servers was a system used for signing Fedora packages.,https://www.redhat.com/archives/fedora-announce-list/2008-August/msg00012.html,,0,0,0,0,1,0,0,0,0,"Build, Source, and Publishing Infrastructure Attack",Publishing Infrastructure: Delivery System Compromise
unknown,12/1/09,1/11/10,2,Android Marketplace,"According to a blog post from the First Tech Credit Union, an app developer called 09Droid created applications which posed as a shell for mobile banking applications and published them to Android Marketplace, and in the process phished personal information about the users’s bank accounts.",https://nakedsecurity.sophos.com/2010/01/11/banking-malware-android-marketplace/,One credit union that was impacted reported that users were receiving emails promoting the app during the first 2 weeks of December.,0,0,0,0,0,0,0,1,0,Software Registry Attacks,Malicious Package
unknown,unknown,1/12/10,20,Perforce,"A targeted user received a phishing email that allowed the attacker to install malware. As a result, attackers had complete access to internal systems. They targeted sources of intellectual property, including software configuration management (SCM) systems accessible by the compromised system. The compromised system could also be leveraged to further penetrate the network.",https://www.wired.com/images_blogs/threatlevel/2010/03/operationaurora_wp_0310_fnl.pdf https://googleblog.blogspot.com/2010/01/new-approach-to-china.html,,0,1,0,0,0,0,0,0,0,"Build, Source, and Publishing Infrastructure Attack",Source Code System Compromise
11/28/10,12/2/10,12/3/10,1,ProFTPD,"The open-source ProFTPD project has been hacked by unknown attackers who planted a backdoor in the source code. As a result of the hack, the project's main FTP server, as well as all of the mirror servers, have carried compromised versions of the ProFTPD1.3.3c source code, from the November 28 2010 to December 2 2010.","https://www.zdnet.com/article/open-source-proftpd-hacked-backdoor-planted-in-source-code/
https://www.aldeid.com/wiki/Exploits/proftpd-1.3.3c-backdoor",,0,0,0,0,1,0,0,0,0,"Build, Source, and Publishing Infrastructure Attack",Publishing Infrastructure: Delivery System Compromise
unknown,unknown,12/29/10,5,Android Apps,"Dubbed ""Geinimi"" based on its first known incarnation, this Trojan can compromise a significant amount of personal data on a user’s phone and send it to remote servers. Once the malware is installed on a user’s phone, it has the potential to receive commands from a remote server that allow the owner of that server to control the phone. Geinimi is effectively being ""grafted"" onto repackaged versions of legitimate applications, primarily games, and distributed in third-party Chinese Android app markets. ",https://blog.lookout.com/security-alert-geinimi-sophisticated-new-android-trojan-found-in-wild,,0,0,0,0,0,0,0,1,0,Software Registry Attacks,Malicious Package
1/22/11,1/22/11,1/25/11,1,Fedora,A Fedora contributor account with push access to packages in the Fedora SCM and the ability to perform builds and make updates to Fedora package was compromised.,https://lists.fedoraproject.org/pipermail/announce/2011-January/002911.html,,0,0,0,0,0,1,0,0,0,Software Registry Attacks,Account Takeover
unknown,3/1/11,3/1/11,56,Android Marketplace,Multiple applications available in the Official Android Market were found to contain malware which could compromise a significant amount of personal data. More than 50 applications have been found to be infected with a new type of Android malware called DroidDream.,https://blog.lookout.com/security-alert-droiddream-malware-found-in-official-android-market,,0,0,0,0,0,0,0,1,0,Software Registry Attacks,Malicious Package
unknown,5/28/11,5/30/11,34,Android Marketplace,"Multiple applications available in the official Android Market were found to contain malware that can compromise a significant amount of personal data. Likely created by the same developers who brought DroidDream to market back in March, 26 applications were found to be infected with a stripped down version of DroidDream called “Droid Dream Light” (DDLight).",https://blog.lookout.com/update-security-alert-droiddreamlight-new-malware-from-the-developers-of-droiddream,,0,0,0,0,0,0,0,1,0,Software Registry Attacks,Malicious Package
unknown,unknown,7/8/11,4,Android Marketplace,"A new variant of DroidDream Light was found in the Android Market, which Google already removed from the Android Market.",https://blog.lookout.com/security-alert-new-droiddream-light-variant-published-to-android-market,,0,0,0,0,0,0,0,1,0,Software Registry Attacks,Malicious Package
unknown,unknown,8/12/11,1,ALZip,"Attackers with Chinese IP addresses uploaded malware to a server used to update ESTsoft's ALZip compression application, South Korean news outlets said. The upgrades eventually caused the compromise of 62 PCs at SK Communications that used the program. Attackers then tapped the machines to steal the names, user IDs, hashed passwords, birthdates, genders, telephone numbers, and street and email addresses contained in a database connected to the same network.",https://www.theregister.com/2011/08/12/estsoft_korean_megahack/,,0,0,0,0,1,0,0,0,0,"Build, Source, and Publishing Infrastructure Attack",Publishing Infrastructure: Delivery System Compromise
6/17/11,7/19/11,8/29/11,1,DigiNotar,A security breach at DigiNotar resulted in the fraudulent issuing of over 500 digital certificates.,https://media.threatpost.com/wp-content/uploads/sites/103/2011/09/07061400/rapport-fox-it-operation-black-tulip-v1-0.pdf,,1,0,0,1,0,0,0,0,0,"Build, Source, and Publishing Infrastructure Attack",Publishing Infrastructure: Certificate Attack
unknown,unknown,8/31/11,1,Linux kernel,The main kernel.org server was recently compromised by an unknown intruder. This person was able to gain root access.,"https://www.linuxfoundation.org/blog/2011/08/the-cracking-of-kernel-org/
https://www.theregister.co.uk/2016/09/02/alleged_linux_hacker_arrested/",,1,0,0,0,1,0,0,0,0,"Build, Source, and Publishing Infrastructure Attack",Publishing Infrastructure: Delivery System Compromise
unknown,unknown,4/12/12,1,Android Apps,SophosLabs recently encountered malware-infected editions of the “Angry Birds Space” game which have been placed in unofficial Android app stores. Please note: The version of “Angry Birds Space” in the official Android market (recently renamed “Google Play”) is *not* affected.,https://nakedsecurity.sophos.com/2012/04/12/android-malware-angry-birds-space-game/,,0,0,0,0,0,0,0,1,0,Software Registry Attacks,Malicious Package
unknown,unknown,9/27/12,2,Digital Certificate,Adobe recently received two malicious utilities that appeared to be digitally signed using a valid Adobe code signing certificate. The discovery of these utilities was isolated to a single source. Adobe has identified a compromised build server with access to the Adobe code signing infrastructure.,https://blogs.adobe.com/security/2012/09/inappropriate-use-of-adobe-code-signing-certificate.html,,1,0,0,1,0,0,0,0,0,"Build, Source, and Publishing Infrastructure Attack",Publishing Infrastructure: Certificate Attack
unknown,unknown,2/9/13,1,Digital Certificate,A malicious third party was able to illegally gain temporary access to one of Bit9's digital code-signing certificates that they then used to illegitimately sign malware.,https://www.carbonblack.com/blog/bit9-and-our-customers-security/,,1,0,0,1,0,0,0,0,0,"Build, Source, and Publishing Infrastructure Attack",Publishing Infrastructure: Certificate Attack
unknown,10/1/11,4/1/13,11,Digital Certificate,The Winnti group used stolen certificates to sign its malware and stole source code and other IP of several gaming companies.,https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2018/03/20134508/winnti-more-than-just-a-game-130410.pdf,"The detection date is a rough guess given that the source reports detection in ""autumn"" 2011. Number of attacks was set to eleven because of the number of stolen certificates.",0,1,0,1,0,0,0,0,0,"Build, Source, and Publishing Infrastructure Attack",Publishing Infrastructure: Certificate Attack
unknown,unknown,6/25/13,2,SimDisk and Songsari,The auto-update mechanism related to the legitimate installer file SimDisk.exe and Songsari_setup.exe were compromised to include an additional malicious payload.,https://blog.trendmicro.com/trendlabs-security-intelligence/compromised-auto-update-mechanism-affects-south-korean-users/,,0,0,0,0,1,0,0,0,0,"Build, Source, and Publishing Infrastructure Attack",Publishing Infrastructure: Delivery System Compromise
unknown,1/2/14,2/19/14,1,GOM Player,"The attackers subverted the distribution server of GOM Player software and delivered a malicious version of the software to users. Upon connecting to the application website to update the installed software, users were redirected to a different website, controlled by the attackers. As a result, the users received a modified version of the software bundled with a Trojan.",https://www.contextis.com/en/blog/context-threat-intelligence-the-monju-incident,,0,0,0,0,1,0,0,0,0,"Build, Source, and Publishing Infrastructure Attack",Publishing Infrastructure: Delivery System Compromise
6/17/14,6/17/14,6/18/14,1,Code Spaces,"Code Spaces, and code hosting platform, went out of business after a hacker deleted most of its machines, customer data and backups.",https://threatpost.com/hacker-puts-hosting-service-code-spaces-out-of-business/106761/,,0,1,0,0,0,0,0,0,0,"Build, Source, and Publishing Infrastructure Attack",Source Code System Compromise
unknown,unknown,6/30/14,3,ICS-related software,"A group identified as ""Dragonfly"" by Symantec compromised legitimate software packages created by ICS equipment providers.",https://community.broadcom.com/symantecenterprise/communities/community-home/librarydocuments/viewdocument?DocumentKey=7382dce7-0260-4782-84cc-890971ed3f17&CommunityKey=1ecf5f55-9545-44d6-b0f4-4e4a7f5f5e68&tab=librarydocuments,,0,0,0,0,1,0,0,0,0,"Build, Source, and Publishing Infrastructure Attack",Publishing Infrastructure: Delivery System Compromise
unknown,unknown,1/19/15,2,League of Legends and Path of Exile,"Official releases of two popular online games were found to be compromised, downloading malware onto computers. The games that were used in the attack were online games League of Legends (LoL) and Path of Exile (PoE). Variants of the remote access Trojan (RAT) PlugX were found in the official releases of the three games, and appeared to target users based in certain countries in Asia. The infection chain is triggered by downloading the legitimate installer or updates for the game itself. These compromised official releases were traced back to Garena, a consumer Internet platform provider in Asia. In an official post, Garena stated that “computers and patch servers were infected with Trojans.",https://blog.trendmicro.com/trendlabs-security-intelligence/plugx-malware-found-in-official-releases-of-league-of-legends-path-of-exile/,,0,0,0,0,1,0,0,0,0,"Build, Source, and Publishing Infrastructure Attack",Publishing Infrastructure: Delivery System Compromise
unknown,unknown,9/17/15,2,Ceph and Inktank,The Ceph community site and the Inktank download site were hacked. Malicious Ceph and Inktank applications were signed by a compromised key.,https://access.redhat.com/blogs/766093/posts/2176181,,1,1,0,1,1,0,0,0,0,"Build, Source, and Publishing Infrastructure Attack",Publishing Infrastructure: Delivery System Compromise
3/1/15,9/17/15,9/17/15,1,Xcode,XcodeGhost is the first compiler malware in OS X. Its malicious code is located in a Mach-O object file that was repackaged into some versions of Xcode installers. These malicious installers were then uploaded to Baidu’s cloud file sharing service for use by Chinese iOS/OS X developers. Xcode is Apple’s official tool for developing iOS or OS X apps and it is clear that some Chinese developers have downloaded these Trojanized packages.,https://unit42.paloaltonetworks.com/novel-malware-xcodeghost-modifies-xcode-infects-apple-ios-apps-and-hits-app-store/,,1,0,0,0,0,0,0,0,0,"Build, Source, and Publishing Infrastructure Attack",Build System Compromise
unknown,unknown,12/17/15,1,ScreenOS,"Malicious code was inserted in the operating system of Juniper NetScreen VPN routers. This unauthorized code enabled remote administrative access, and allowed passive decryption of VPN traffic. The first vulnerability was done by implanting back door in the SSH password checker and the second one happened by compromising a pseudorandom number generator.",https://forums.juniper.net/t5/Security-Incident-Response/Important-Announcement-about-ScreenOS/ba-p/285554,,0,1,0,0,0,0,0,0,0,"Build, Source, and Publishing Infrastructure Attack",Source Code System Compromise
2/20/16,2/20/16,2/21/16,1,Linux Mint,"Hackers made a modified Linux Mint ISO, with a backdoor in it, and managed to hack the Linux Mint website to point to it.",https://blog.linuxmint.com/?p=2994,,0,0,0,0,1,0,0,0,0,"Build, Source, and Publishing Infrastructure Attack",Publishing Infrastructure: Delivery System Compromise
3/4/16,3/4/16,3/6/16,1,Transmission,"Attackers infected two Transmission v2.90 installers available from the Transmission website with KeRanger, using a valid developer key that was not associated with Transmission.",https://unit42.paloaltonetworks.com/new-os-x-ransomware-keranger-infected-transmission-bittorrent-client-installer/,,0,0,0,0,1,0,0,0,0,"Build, Source, and Publishing Infrastructure Attack",Publishing Infrastructure: Delivery System Compromise
11/4/15,3/17/16,3/17/16,214,"npm, PyPi, RubyGems.org","As a research project, a student uploaded 214 packages to npm, PyPi, and RubyGems.org to evaluate the potential of typosquatting attacks. There were 19721 unique installations over approximately 6 weeks.",https://incolumitas.com/data/thesis.pdf,,0,0,0,0,0,0,0,0,1,Software Registry Attacks,Typosquatting
3/23/16,3/23/16,3/23/16,273,npm, Azer Koçulu unpublished 273 npm packages he maintained after losing a dispute over control of the package name kik.,https://blog.npmjs.org/post/141577284765/kik-left-pad-and-npm,,0,0,0,0,0,0,1,0,0,Software Registry Attacks,Dependency Compromise
4/9/15,4/26/16,6/30/16,1,EvLog,Attackers breached the download server of an application (used by system administrators to analyze Windows logs) and replaced the legitimate application and updates with a signed malicious version.,"http://www.eventid.net/evlog/evlogsecnote.asp
https://www.rsa.com/en-us/blog/2017-02/kingslayer-a-supply-chain-attack",,0,0,0,0,1,0,0,0,0,"Build, Source, and Publishing Infrastructure Attack",Publishing Infrastructure: Delivery System Compromise
7/4/16,7/4/16,7/7/16,1,Android Apps,"Proofpoint found an infected Android version of the mobile game Pokemon Go on third party app servers. This particular APK has been modified, including a malicious remote access tool called DroidJack (also known as SandroRAT).",https://www.proofpoint.com/us/threat-insight/post/droidjack-uses-side-load-backdoored-pokemon-go-android-app,,0,0,0,0,0,0,0,1,0,Software Registry Attacks,Malicious Package
unknown,8/2/16,8/2/16,1,Fosshub,"Hackers compromised FOSSHub, a popular file hosting service, and replaced the legitimate installer of several applications with malicious copies.",https://www.ghacks.net/2016/08/03/attention-fosshub-downloads-compromised/,,0,0,0,0,1,0,0,0,0,"Build, Source, and Publishing Infrastructure Attack",Publishing Infrastructure: Delivery System Compromise
8/28/16,8/29/16,8/30/16,1,Transmission,"Attackers infected two Transmission v2.92 installers available from the Transmission website with Keydnap, using a valid developer key that was not associated with Transmission.","https://transmissionbt.com/keydnap_qa/
https://www.welivesecurity.com/2016/08/30/osxkeydnap-spreads-via-signed-transmission-application/",,0,0,0,0,1,0,0,0,0,"Build, Source, and Publishing Infrastructure Attack",Publishing Infrastructure: Delivery System Compromise
unknown,11/5/16,11/18/16,1,Ask.com Toolbar,Ask’s software was being co-opted by a malicious actor to execute malicious software on victims’ endpoints.,https://redcanary.com/blog/ask-partner-network-compromise/,,0,0,0,0,1,0,0,0,0,"Build, Source, and Publishing Infrastructure Attack",Publishing Infrastructure: Delivery System Compromise
unknown,unknown,11/30/16,86,Android Apps,Gooligan malware code was included in dozens of legitimate-looking apps on third-party Android app stores.,https://blog.checkpoint.com/2016/11/30/1-million-google-accounts-breached-gooligan/,,0,0,0,0,0,0,0,1,0,Software Registry Attacks,Malicious Package
unknown,unknown,12/12/16,26,Android Handsets,Doctor Web’s security researchers found new Trojans incorporated into firmwares of several dozens of Android mobile devices. Found malware programs are stored in system catalogs and covertly download and install programs.,https://blog.checkpoint.com/2016/11/30/1-million-google-accounts-breached-gooligan/,Malicious firmware was found on 26 models of smart phones.,0,0,1,0,0,0,0,0,0,"Build, Source, and Publishing Infrastructure Attack",Firmware Implant
2/4/17,2/6/17,2/22/17,1,Google Play Store,Banking malware known as the BankBot trojan was identified within an app on the Google Play Store.,https://www.welivesecurity.com/2017/02/22/sunny-chance-stolen-credentials-malicious-weather-app-found-google-play/,,0,0,0,0,0,0,0,1,0,Software Registry Attacks,Malicious Package
unknown,unknown,3/1/17,1,Google Play Store,"Palo Alto Networks discovered 132 Android apps on Google Play infected with tiny hidden IFrames that link to malicious domains in their local HTML pages, with the most popular one having more than 10,000 installs alone. Their investigation indicates that the developers of these infected apps are not to blame, but are more likely victims themselves. We believe it is most likely that the app developers’ development platforms were infected with malware that searches for HTML pages and injects malicious content at the end of the HTML pages it finds. What all the apps have in common is that they employ Android WebView to display static HTML pages. ",https://unit42.paloaltonetworks.com/unit42-google-play-apps-infected-malicious-iframes/,,0,0,0,0,0,0,1,0,0,Software Registry Attacks,Dependency Compromise
unknown,unknown,3/1/17,1,Ask.com Toolbar,Ask’s software was co-opted again by a malicious actor to execute malicious software on victims’ endpoints.,https://www.carbonblack.com/blog/second-ask-partner-network-apn-compromise-highlights-attackers-commandeering-widely-used-general-tools-sophisticated-targeted-attacks/,,0,0,0,0,1,0,0,0,0,"Build, Source, and Publishing Infrastructure Attack",Publishing Infrastructure: Delivery System Compromise
unknown,4/4/17,5/4/17,1,Unknown,The update for an editor tool was compromised. There are few specifics.,https://www.microsoft.com/security/blog/2017/05/04/windows-defender-atp-thwarts-operation-wilysupply-software-supply-chain-cyberattack/,,0,0,0,0,1,0,0,0,0,"Build, Source, and Publishing Infrastructure Attack",Publishing Infrastructure: Delivery System Compromise
5/2/17,5/6/17,5/6/17,1,Handbrake,HandBrake-1.0.7.dmg was replaced by another unknown malicious file that DOES NOT match the SHA1 / SHA256 hashes for the legitimate version of the application.,"https://forum.handbrake.fr/viewtopic.php?f=33&t=36364
https://blog.malwarebytes.com/threat-analysis/mac-threat-analysis/2017/05/handbrake-hacked-to-drop-new-variant-of-proton-malware/",,0,0,0,0,1,0,0,0,0,"Build, Source, and Publishing Infrastructure Attack",Publishing Infrastructure: Delivery System Compromise
unknown,unknown,4/30/17,1,Google Play Store,Another instance of the BankBot trojan was identified within an app on the Google Play Store.,https://www.threatfabric.com/blogs/banking_malware_in_google_play_targeting_many_new_apps.html,,0,0,0,0,0,0,0,1,0,Software Registry Attacks,Malicious Package
4/14/17,6/27/17,6/27/17,1,M.E.Doc,"Attackers have successfully compromised the accounting software M.E.Doc, popular across various industries in Ukraine, including financial institutions. Several of them executed a trojanized update of M.E.Doc, which allowed attackers to launch a massive ransomware campaign.","https://www.welivesecurity.com/2017/06/27/new-ransomware-attack-hits-ukraine/
https://www.welivesecurity.com/2017/06/30/telebots-back-supply-chain-attacks-against-ukraine/
https://www.welivesecurity.com/2017/07/04/analysis-of-telebots-cunning-backdoor/",,1,1,0,0,1,0,0,0,0,"Build, Source, and Publishing Infrastructure Attack",Publishing Infrastructure: Delivery System Compromise
unknown,unknown,7/27/17,1,Android Handsets,Virus analytics from Dr.Web detected a malicious program built into the firmware of several mobile devices running Android. Google believes that a vendor using the name Yehuo or Blazefire infected the system image with the Triada malware.,"https://news.drweb.com/show/?i=11390&lng=en
https://arstechnica.com/information-technology/2019/06/google-confirms-2017-supply-chain-attack-that-sneaked-backdoor-on-android-devices/",,0,0,1,0,0,0,0,0,0,"Build, Source, and Publishing Infrastructure Attack",Firmware Implant
7/19/17,8/1/17,8/1/17,38,npm,38 instances of typosquatting attacks that collect and exfiltrate environment variables were identified.,https://blog.npmjs.org/post/163723642530/crossenv-malware-on-the-npm-registry,,0,0,0,0,0,0,0,0,1,Software Registry Attacks,Typosquatting
7/18/17,8/4/17,8/7/17,1,NetSarang,Installers for several NetSarang products were distributed with malware from the company's offical release servers.,"https://securelist.com/shadowpad-in-corporate-networks/81432/
https://web.archive.org/web/20170815192514/https://www.netsarang.com/news/security_exploit_in_july_18_2017_build.html",,0,0,0,0,1,0,0,0,0,Software Registry Attacks,Publishing Infrastructure: Delivery System Compromise
unknown,unknown,8/8/17,8,npm,8 instances of typosquatting attacks that add permissions and track install data were identified.,https://duo.com/decipher/hunting-malicious-npm-packages,,0,0,0,0,0,0,0,0,1,Software Registry Attacks,Typosquatting
6/2/17,9/9/17,9/9/17,10,PyPI,10 instances of typosquatting attacks that collect and exfiltrate host information were identified.,https://www.nbu.gov.sk/skcsirt-sa-20170909-pypi/,,0,0,0,0,0,0,0,0,1,Software Registry Attacks,Typosquatting
8/15/17,9/12/17,9/12/17,1,CCleaner,"Developer workstations were compromised to intrgrate ShadowPad malware into the CCleaner build process, allowing distribution of the malware using the legitimate signed version of CCleaner.","https://blog.talosintelligence.com/2017/09/avast-distributes-malware.html
https://blog.avast.com/update-ccleaner-attackers-entered-via-teamviewer
https://www.ccleaner.com/news/blog/2017/9/18/security-notification-for-ccleaner-v5336162-and-ccleaner-cloud-v1073191-for-32-bit-windows-users",,1,0,0,0,1,0,0,0,0,"Build, Source, and Publishing Infrastructure Attack",Build System Compromise
7/7/17,8/10/17,9/14/17,50,Lovely Wallpaper,Malware injected in a free Android app would secretly register victims for paid services. The malicious code in the app came from a compromised software development kit (SDK) that Android developers used.,https://research.checkpoint.com/expensivewall-dangerous-packed-malware-google-play-will-hit-wallet/,This malware affected at least fifty apps.,0,0,0,0,0,0,1,0,0,Software Registry Attacks,Dependency Compromise
unknown,unknown,9/25/17,1,Google Play Store,Another instance of the BankBot trojan was identified within an app on the Google Play Store.,https://www.welivesecurity.com/2017/09/25/banking-trojan-returns-google-play/,,0,0,0,0,0,0,0,1,0,Software Registry Attacks,Malicious Package
unknown,10/19/17,10/20/17,2,Folx and Elmedia Player,Folx and Elmedia Player installers were distributed with malware from the company's offical release servers.,https://www.welivesecurity.com/2017/10/20/osx-proton-supply-chain-attack-elmedia/,,0,0,0,0,1,0,0,0,0,"Build, Source, and Publishing Infrastructure Attack",Publishing Infrastructure: Delivery System Compromise
unknown,10/11/17,10/11/17,4,Google Play Store,Fake versions of Whatsapp were available within the Google Play Store and appeared to be signed by Whatsapp.,"https://twitter.com/virqdroid/status/918031484220559360
",,0,0,0,0,0,0,0,1,0,Software Registry Attacks,Malicious Package
unknown,11/3/17,11/3/17,1,Google Play Store,A fake version of a Whatsapp updater was available within the Google Play Store and appeared to be signed by Whatsapp.,https://www.reddit.com/r/Android/comments/7ahujw/psa_two_different_developers_under_the_same_name/dpa4ste/?st=j9nvw7rx&sh=d9977b20,,0,0,0,0,0,0,0,1,0,Software Registry Attacks,Malicious Package
unknown,11/5/17,11/5/17,4,Google Play Store,Fake versions of Whatsapp were available within the Google Play Store and appeared to be signed by Whatsapp.,https://twitter.com/virqdroid/status/927239025953566726,,0,0,0,0,0,0,0,1,0,Software Registry Attacks,Malicious Package
unknown,unknown,11/9/17,1,Google Play Store,Another instance of the BankBot trojan was identified within an app on the Google Play Store.,https://www.riskiq.com/blog/labs/mobile-bankbot/,,0,0,0,0,0,0,0,1,0,Software Registry Attacks,Malicious Package
11/21/17,11/25/17,11/26/17,1,Bitcoin Gold,"A backdoored version of Bitcoin wallet was planted by the attackers who gained access to the GitHub repository. As a result, those users who downloaded the infected version instead of the official one might have lost their private keys if they created new wallets using this malicious software.",https://bitcoingold.org/critical-warning-nov-26/,,0,1,0,0,0,0,0,0,0,"Build, Source, and Publishing Infrastructure Attack",Source Code System Compromise
unknown,11/20/17,12/12/17,3,Google Play Store,"At least 3 highly rated games were available on Google Play that included an additional implant, the games had up to 10.5 million downloads when their nefarious behavior was exposed.",https://www.securityweek.com/golduck-malware-infects-classic-android-games,,0,0,0,0,0,0,0,1,0,Software Registry Attacks,Malicious Package
2/12/18,3/6/18,3/7/18,1,MediaGet,"Attackers performed an update poisoning campaign that installed a trojanized version of MediaGet on computers, and then downloaded a cryptominer using the backdoored version.",https://www.microsoft.com/security/blog/2018/03/13/poisoned-peer-to-peer-app-kicked-off-dofoil-coin-miner-outbreak/,,0,0,0,0,1,0,0,0,0,"Build, Source, and Publishing Infrastructure Attack",Publishing Infrastructure: Delivery System Compromise
unknown,5/2/18,5/2/18,1,npm,"The getcookies npm package contained a potential backdoor, and was introduced as a dependency to several packages, including the popular package mailparser.",https://blog.npmjs.org/post/173526807575/reported-malicious-module-getcookies,,0,0,0,0,0,0,1,0,0,Software Registry Attacks,Dependency Compromise
3/1/18,5/3/18,5/10/18,1,Chrome Web Store,"This malware campaign is propagating via socially-engineered links on Facebook and is infecting users by abusing a Chrome Web Store (the ‘Nigelify’ application) that performs credential theft, cryptomining, click fraud and more.",https://blog.radware.com/security/2018/05/nigelthorn-malware-abuses-chrome-extensions/,,0,0,0,0,0,0,0,1,0,Software Registry Attacks,Malicious package
5/10/18,5/11/18,5/11/18,10,PyPI,10 instances of typosquatting attacks that collect and exfiltrate host information were identified.,https://github.com/pypa/warehouse/issues/3948,,0,0,0,0,0,0,0,0,1,Software Registry Attacks,Typosquatting
unknown,5/11/18,5/11/18,2,Ubuntu Snap,"The app 2048buntu and another app by the same author contained a cryptocurrency mining application disguised as the ""systemd"" daemon, along with an init script that provided boot persistence.",https://github.com/canonical-web-and-design/snapcraft.io/issues/651,,0,0,0,0,0,0,0,1,0,Software Registry Attacks,Malicious package
7/25/17,5/10/18,6/13/18,17,Docker Hub,17 backdoored images were placed on Docker Hub.,https://neuvector.com/docker-security/backdoored-images-removed/. https://www.bleepingcomputer.com/news/security/17-backdoored-docker-images-removed-from-docker-hub/,,0,0,0,0,0,0,0,1,0,Software Registry Attacks,Malicious Package
6/28/18,6/28/18,6/28/18,1,Gentoo,An unknown entity gained control of an admin account for the Gentoo GitHub Organization and removed all access to the organization (and its repositories) from Gentoo developers. They then proceeded to make various changes to content.,https://wiki.gentoo.org/wiki/Project:Infrastructure/Incident_Reports/2018-06-28_Github,,0,1,0,0,0,1,0,0,0,Software Registry Attacks,Source Code System Compromise
6/7/18,7/8/18,7/10/18,3,Arch Linux,Malware has been discovered in at least three orphaned Arch Linux packages available on AUR (Arch User Repository) that were taken over by a malicious actor.,https://lwn.net/Articles/759461/,,0,0,0,0,0,1,0,1,0,Software Registry Attacks,Malicious Package
unknown,unknown,7/10/18,1,Inbenta,"The credit card skimming effort of a massive campaign by a threat group -- dubbed Magecart, operational since at least 2015 -- targets software companies that build and provide code that developers include on their websites to improve the site or customer experience. After the hackers break in and alter the code, it affects every website that it runs on, potentially affecting millions of users every day. At least 800 e-commerce sites are said to be affected, after they included code developed by third-party companies and later altered by hackers. The ticket selling giant admitted that some customers had their payment data compromised because its website was running code from Inbenta, a customer support software company, which hackers had altered.",https://www.zdnet.com/article/ticketmaster-breach-was-part-of-a-larger-credit-card-skimming-effort-analysis-shows/,,0,0,0,0,0,0,1,0,0,Software Registry Attacks,Dependency Compromise
7/12/18,7/12/18,7/12/18,2,npm,"An attacker compromised the npm account of an ESLint maintainer and published malicious versions of the eslint-scope and eslint-config-eslint packages to the npm registry. On installation, the malicious packages downloaded and executed code from pastebin.com which sent the contents of the user’s .npmrc file to the attacker. An .npmrc file typically contains access tokens for publishing to npm.",https://eslint.org/blog/2018/07/postmortem-for-malicious-package-publishes,,0,0,0,0,0,1,0,1,0,Software Registry Attacks,Malicious Package
1/1/18,unknown,7/26/18,1,PDF editor application,"Attackers compromised a font package installed by a PDF editor application and used it to deploy a cryptocurrency miner on users' computers. Since the PDF editor was installed under SYSTEM privileges, the malicious coinminer code hidden inside the font package would receive full access to the victims' system.",https://www.microsoft.com/security/blog/2018/07/26/attack-inception-compromised-supply-chain-within-a-supply-chain-poses-new-risks/,,0,0,0,0,0,0,1,0,0,Software Registry Attacks,Dependency Compromise
unknown,unknown,7/30/18,145,Google Play Store,there are 145 Google Play apps infected by malicious Microsoft Windows executable files on the Google Play Store. Palo Alto Networks reported the findings to Google Security Team and all infected apps have been removed from Google Play.,https://unit42.paloaltonetworks.com/unit42-hidden-devil-development-life-cycle-google-play-apps-infected-windows-executable-files/,,0,0,0,0,0,0,0,1,0,Software Registry Attacks,Malicious Package
unknown,7/31/18,8/21/18,1,South Korean remote support solutions provider,The threat actors compromised the update server of a remote support solutions provider to deliver a remote access tool called 9002 RAT to their targets of interest through the update process. They carried this out by first stealing the company’s certificate then using it to sign the malware. They also configured the update server to only deliver malicious files if the client is located in the range of IP addresses of their target organizations.,https://blog.trendmicro.com/trendlabs-security-intelligence/supply-chain-attack-operation-red-signature-targets-south-korean-organizations/,,0,0,0,1,1,0,0,0,0,"Build, Source, and Publishing Infrastructure Attack",Publishing Infrastructure: Delivery System Compromise
unknown,unknown,9/7/18,3,Apple App Store,Several security researchers have independently found different apps that are collecting sensitive user data and uploading it to servers controlled by the developer.,https://blog.malwarebytes.com/threat-analysis/2018/09/mac-app-store-apps-are-stealing-user-data/,,0,0,0,0,0,0,0,1,0,Software Registry Attacks,Malicious Package
4/29/16,10/12/18,10/12/18,8,PyPI,smplejson was created to mimic the simplejson package in the standard library. It collects and exfiltrates host information.,https://medium.com/@bertusk/detecting-cyber-attacks-in-the-python-package-index-pypi-61ab2b585c67,,0,0,0,0,0,0,0,0,1,Software Registry Attacks,Typosquatting
5/31/18,9/19/19,10/18/18,1,VestaCP,An unknown hacker injected credential logging and exfiltration code into VestaCP installation scripts.,https://www.welivesecurity.com/2018/10/18/new-linux-chachaddos-malware-distributed-servers-vestacp-installed/,,1,0,0,0,0,0,0,0,0,"Build, Source, and Publishing Infrastructure Attack",Build System Compromise
12/5/17,10/20/18,10/20/18,1,PyPI,The colourama package is typo-squatting the popular PyPI package named colorama. The colourama package contains a malware dropper which targets Windows machines and downloads a second stage that implements a cryptocurrency clipboard hijacker written in VBScript. ,https://medium.com/@bertusk/cryptocurrency-clipboard-hijacker-discovered-in-pypi-repository-b66b8a534a8,,0,0,0,0,0,0,0,0,1,Software Registry Attacks,Typosquatting
11/3/18,11/6/18,11/6/18,1,StatCounter,"StatCounter was compromised, and a cryptocurrency stealing script for gate.io was added to a JavaScript resource used by StatCounter customers.",https://www.welivesecurity.com/2018/11/06/supply-chain-attack-cryptocurrency-exchange-gate-io/,,0,0,0,0,0,0,1,0,0,Software Registry Attacks,Dependency Compromise
unknown,unknown,11/19/18,13,Google Play Store,13 apps containing adware are available for download in the Google Play Store.,https://twitter.com/LukasStefanko/status/1064507886896844800,,0,0,0,0,0,0,0,1,0,Software Registry Attacks,Malicious Package
9/4/18,11/20/18,11/20/18,1,npm,"A malicious developer modified event-stream to then depend on a malicious package, flatmap-stream. ",https://github.com/dominictarr/event-stream/issues/116#issuecomment-441759047,,0,0,0,0,0,1,1,0,0,Software Registry Attacks,Dependency Compromise
unknown,unknown,12/2/18,1,jcenter and bintray,Malicious dependency in AndroidAudioRecorder steals make and model info,https://blog.autsoft.hu/a-confusing-dependency/,,0,0,0,0,0,0,0,1,0,Software Registry Attacks,Malicious Package
3/3/16,12/9/18,12/9/18,2,PyPI,9 instances of typosquatting attacks that collect and exfiltrate host information were identified.,https://github.com/rsc-dev/pypi_malware,"Two packages reported here also are listed in https://medium.com/@bertusk/detecting-cyber-attacks-in-the-python-package-index-pypi-61ab2b585c67 and not included in this attack count
Five packages reported here also are listed in https://github.com/pypa/warehouse/issues/3948 and not included in this attack count",0,0,0,0,0,0,0,0,1,Software Registry Attacks,Typosquatting
unknown,unknown,1/5/19,14,Apple App Store,14 games were available on the App Store that included an additional implant.,https://www.wandera.com/risky-apps/,,0,0,0,0,0,0,0,1,0,Software Registry Attacks,Malicious Package
9/17/18,1/20/19,1/20/19,1,PyPI,"The pytz3-dev package is typo-squatting the popular PyPI package named pytz. The pytz3-dev package contains malicious code that searches for a Discord authentication token stored in a SQLite database, and exfiltrates the token if one is found.",https://medium.com/@bertusk/discord-token-stealer-discovered-in-pypi-repository-e65ed9c3de06,,0,0,0,0,0,0,0,0,1,Software Registry Attacks,Typosquatting
7/23/18,1/18/19,1/23/19,1,PHP,Malicious PEAR (PHP package manager) executable was uploaded to official PHP PEAR website,https://www.zdnet.com/article/mystery-still-surrounds-hack-of-php-pear-website/,Compromise date was approximately six months before detection according to article.,0,0,0,0,0,0,0,1,0,Software Registry Attacks,Malicious Package
unknown,2/28/19,3/7/19,1,jxplorer,A malicious version of the jxplorer Linux installer was uploaded to a github repo that was promoted to appear legitimate. ,https://dfir.it/blog/2019/02/26/the-supreme-backdoor-factory/,The research the resulted in this article was performed in February 2019.,0,0,0,0,1,0,0,0,0,"Build, Source, and Publishing Infrastructure Attack",Publishing Infrastructure: Delivery System Compromise
11/13/18,2/1/19,3/11/19,1,Visual Studio,"Malware was seamlessly integrated into the code of recently compiled legitimate applications, likely through a trojanized Visual Studio development environment used by software coders in the organization. Several gaming companies, an IT services company, a conglomerate holding company and a pharmaceutical company were compromised in this attack.","https://usa.kaspersky.com/blog/details-shadow-hammer/17576/
https://securelist.com/operation-shadowhammer-a-high-profile-supply-chain-attack/90380/
https://www.welivesecurity.com/2019/03/11/gaming-industry-scope-attackers-asia/",,1,0,0,0,0,0,0,0,0,"Build, Source, and Publishing Infrastructure Attack",Build System Compromise
unknown,unknown,3/13/19,1,Google Play Store,"This particular strain of Adware was found in 206 applications, and the combined download count has reached almost 150 million. Google was swiftly notified and removed the infected applications from the Google Play Store. The malware resides within the ‘RXDrioder’ Software Development Kit (SDK), which is provided by ‘addroider[.]com’ as an ad-related SDK. The researchers believe the developers were scammed to use this malicious SDK, unaware of its content, leading to the fact that this campaign was not targeting a specific county or developed by the same developer. The malware has been dubbed ‘SimBad’ due to the fact that a large portion of the infected applications are simulator games.",https://research.checkpoint.com/2019/simbad-a-rogue-adware-campaign-on-google-play/,,0,0,0,0,0,0,1,0,0,Software Registry Attacks,Dependency Compromise
unknown,9/15/18,3/13/19,1,Android Apps,Check Point Research has recently discovered a group of Android applications massively harvesting contact information on mobile phones without the user’s consent. The data stealing logic hides inside a data analytics Software Development Kit (SDK) seen in up to 12 different mobile applications and has so far been downloaded over 111 million times.,https://research.checkpoint.com/2019/operation-sheep-pilfer-analytics-sdk-in-action/,,0,0,0,0,0,0,1,0,0,Software Registry Attacks,Dependency Compromise
6/1/18,1/29/19,3/25/19,1,ASUS,The ASUS software update tool was distributed with malware from the company's offical release servers.,"https://securelist.com/operation-shadowhammer/89992/
https://www.vice.com/en_us/article/pan9wn/hackers-hijacked-asus-software-updates-to-install-backdoors-on-thousands-of-computers",,0,0,0,1,1,0,0,0,0,"Build, Source, and Publishing Infrastructure Attack",Publishing Infrastructure: Delivery System Compromise
unknown,unknown,3/29/19,1,Google Play Store,"Exodus is an Android spyware platform available on the Google Play Store, disguised as service applications from mobile operators.",https://securitywithoutborders.org/blog/2019/03/29/exodus.html,,0,0,0,0,0,0,0,1,0,Software Registry Attacks,Malicious Package
3/26/19,3/26/19,4/3/19,1,RubyGems.org,A malicious version of the popular bootstrap-sass package was published to the official RubyGems repository.,https://snyk.io/blog/malicious-remote-code-execution-backdoor-discovered-in-the-popular-bootstrap-sass-ruby-gem/,,0,0,0,0,0,1,0,1,0,Software Registry Attacks,Malicious Package
5/4/18,5/8/19,5/8/19,1,PyPI,Versions 0.28 - 0.31 of the ssh-decorate PyPI package would capture and exfiltrate SSH credentials.,"https://www.reddit.com/r/Python/comments/8hvzja/backdoor_in_sshdecorator_package/
https://www.bleepingcomputer.com/news/security/backdoored-python-library-caught-stealing-ssh-credentials/",,0,0,0,0,0,1,0,1,0,Software Registry Attacks,Malicious Package
3/23/19,6/4/19,6/5/19,1,JavaScript,This attack focused on getting a malicious package into the build chain for Agama (a cryptocurrency wallet) and stealing the wallet seeds and other login passphrases used within the application.,https://blog.npmjs.org/post/185397814280/plot-to-steal-cryptocurrency-foiled-by-the-npm,,0,0,0,0,0,0,1,0,0,Software Registry Attacks,Dependency Compromise
unknown,6/19/19,6/19/19,23,RubyGems.org,"The author shaggy has uploaded 23 malicious packages, mainly focused on crypto mining and cookie/password stealing.",https://github.com/rubygems/rubygems.org/issues/2034,,0,0,0,0,0,0,0,1,0,Software Registry Attacks,Malicious Package
unknown,unknown,6/20/19,1,Android Handsets,Criminals in 2017 managed to get an advanced backdoor preinstalled on Android devices before they left the factories of manufacturers.,https://www.schneier.com/blog/archives/2019/06/backdoor_built_.html,,0,0,1,0,0,0,0,0,0,"Build, Source, and Publishing Infrastructure Attack",Firmware Implant
unknown,6/26/19,6/26/19,1,RubyGems.org,The passgen Ruby Gem included a backdoor in the latest release.,https://help.rubygems.org/discussions/problems/36541-reporting-backdoor-on-passgen,,0,0,0,0,0,0,0,1,0,Software Registry Attacks,Malicious Package
6/25/19,6/28/19,7/3/19,1,RubyGems.org,The RubyGems.org account of the strong_password RubyGem creator was compromised and a malicious payload was added to a new version.,https://withatwist.dev/strong-password-rubygem-hijacked.html,,0,0,0,0,0,1,0,1,0,Software Registry Attacks,Malicious Package
7/6/19,7/6/19,7/6/19,1,Canonical,A Canonical owned account on GitHub whose credentials were compromised was used to create repositories and issues among other activities. ,https://twitter.com/ubuntu_sec/status/1147675201632473088,,1,1,0,0,0,1,0,0,0,Software Registry Attacks,Source Code System Compromise
5/1/19,7/9/19,7/10/19,1,Pale Moon,A malicious party gained access to the archive server and infected all archived executables on the server with a trojan/virus dropper. ,https://forum.palemoon.org/viewtopic.php?f=17&t=22526,,0,0,0,0,1,0,0,0,0,"Build, Source, and Publishing Infrastructure Attack",Publishing Infrastructure: Delivery System Compromise
7/5/19,7/5/19,7/12/19,1,JavaScript,Former PureScript installer maintainer inserted malicious code into PureScript npm installer dependencies after being removed as a maintainer of the PureScript installer project.,https://harry.garrood.me/blog/malicious-code-in-purescript-npm-installer/,,0,0,0,0,0,1,1,0,0,Software Registry Attacks,Dependency Compromise
unknown,unknown,7/12/19,1,Google Play Store,"An app called OpenGL Plugin contains malware that executes commands, allowing the criminals to remotely control the infected Android devices and spy on users.",https://news.drweb.com/show/?c=0&p=0&lng=en&i=13349,,0,0,0,0,0,0,0,1,0,Software Registry Attacks,Malicious Package
11/23/17,7/9/19,7/17/19,5,PyPI,"libpeshnx was a backdoored package with a C2 channel built in. Reversing Labs scanned all of PyPI with a static analysis tool (their own Titanium Platform) and found this malicious package, plus 4 others.",https://blog.reversinglabs.com/blog/suppy-chain-malware-detecting-malware-in-package-manager-repositories,,0,0,0,0,0,0,0,1,0,Software Registry Attacks,Malicious Package
unknown,unknown,7/20/19,226,RubyGems.org,All gems where homografo is the owner were yanked because 168 out of 226 gem names were invalid as per Levenshtein rule.,"https://gist.github.com/sonalkr132/0af1746c14b42a41e01d20fffbed585b
https://github.com/rubygems/rubygems.org/wiki/Gems-yanked-and-accounts-locked",,0,0,0,0,0,0,0,0,1,Software Registry Attacks,Typosquatting
4/1/18,8/10/19,8/10/19,1,Webmin,An unknown hacker injected a backdoor that allowed for execution of arbitrary commands as root into Webmin 1.890 through 1.921 by modifying a source file on the development build server.,http://webmin.com/exploit.html,,0,0,0,0,0,0,0,0,0,"Build, Source, and Publishing Infrastructure Attack",Build System Compromise
8/13/19,8/19/19,8/19/19,1,RubyGems.org,The RubyGems.org account of the rest-client RubyGem creator was compromised and a malicious payload was added to a new version.,https://github.com/rest-client/rest-client/issues/713,,0,0,0,0,0,1,0,1,0,Software Registry Attacks,Malicious Package
unknown,8/19/19,8/19/19,8,RubyGems.org,"The RubyGems.org codebase was searched for malware and mining software, and several instances were found.",https://github.com/rubygems/rubygems.org/issues/2097,,0,0,0,0,0,0,0,1,0,Software Registry Attacks,Malicious Package
3/4/18,8/21/19,8/21/19,1,npm,bb-builder was created to mimic the bb-build package using the account of a developer with hundreds of legitmate JavaScript packages. It collects and exfiltrates passwords stored within a browser.,https://blog.reversinglabs.com/blog/the-npm-package-that-walked-away-with-all-your-passwords,,0,0,0,0,0,0,0,0,1,Software Registry Attacks,Typosquatting
6/16/19,8/27/19,8/27/19,1,CamScanner,Recent versions of the app shipped with an advertising library containing a malicious module.,"https://www.kaspersky.com/blog/camscanner-malicious-android-app/28156/
https://www.androidpolice.com/2019/08/28/camscanner-play-store-malware/",,0,0,0,0,0,0,0,1,0,Software Registry Attacks,Malicious Package
unknown,unknown,10/3/19,2,Google Play Store,Mobile applications to track a device’s communications or location were published to the Google Play Store.,https://research.checkpoint.com/2019/the-eye-on-the-nile/,,0,0,0,0,0,0,0,1,0,Software Registry Attacks,Malicious Package
unknown,unknown,10/24/19,17,Apple App Store,Wandera’s threat research team has discovered 17 apps on the Apple App Store that are infected with clicker trojan malware. ,https://www.wandera.com/ios-trojan-malware/,,0,0,0,0,0,0,0,1,0,Software Registry Attacks,Malicious Package
unknown,unknown,10/29/19,1,RubyGems,"A package (or ""gem"") named basic_authable was removed from RubyGems by the maintainers.",https://github.com/rubygems/rubygems.org/wiki/Gems-yanked-and-accounts-locked,,0,0,0,0,0,0,0,1,0,Software Registry Attacks,Malicious Package
9/1/17,12/15/17,11/26/19,9,Google Play Store,"In December 2017, TAG discovered a series of campaigns from Sandworm attempting to deploy Android malware. The first campaign targeted users in South Korea, where Sandworm was modifying legitimate Android applications with malware. They then uploaded these modified apps to the Play Store using their own attacker-controlled developer accounts. During this campaign, Sandworm uploaded eight different apps to the Play Store, each with fewer than 10 total installs.
We also identified an earlier September 2017 Android campaign from Sandworm where they used similar tactics and deployed a fake version of the UKR.net email app on the Play Store. This application had approximately 1,000 total installs. We worked with our colleagues on the Google Play Protect Team to write detections for this malware family, and eliminate it.",https://blog.google/threat-analysis-group/protecting-users-government-backed-hacking-and-disinformation/,,0,0,0,0,0,0,0,1,0,Software Registry Attacks,Malicious Package
11/29/19,12/1/19,12/1/19,1,PyPI," There is a fake version of dateutil called python3-dateutil on PyPI that contains additional imports of the jeIlyfish package (itself a fake version of the jellyfish package, that first L is an I). That package in turn contains malicious code",https://github.com/dateutil/dateutil/issues/984,,0,0,0,0,0,0,0,0,1,Software Registry Attacks,Typosquatting
unknown,unknown,12/19/19,116,Google Play Store,"The White Ops Threat Intelligence team recently identified 100+ malicious apps, with more than 4.6 million downloads, performing ad fraud. All of the apps use a common code package White Ops has dubbed “Soraka” (com.android.sorakalibrary.*).
In addition to the Soraka code package, we also discovered, in some of the apps, a variant with similar functionality which we dubbed “Sogo” (com.android.sogolibrary.*).",https://www.whiteops.com/blog/bringing-starchild-down-to-earth-soraka-sdk,,0,0,0,0,0,0,0,1,0,Software Registry Attacks,Malicious Package
3/1/19,unknown,1/6/20,3,Google Play Store,Trend Micro found three malicious apps in the Google Play Store that work together to compromise a victim’s device and collect user information.,https://www.trendmicro.com/en_us/research/20/a/first-active-attack-exploiting-cve-2019-2215-found-on-google-play-linked-to-sidewinder-apt-group.html,,0,0,0,0,0,0,0,1,0,Software Registry Attacks,Malicious Package
unknown,10/31/19,1/9/20,1,Android Handsets,"A United States–funded mobile carrier that offers phones via the Lifeline Assistance program is selling a mobile device pre-installed with not one, but two nefarious applications.",https://blog.malwarebytes.com/android/2020/01/united-states-government-funded-phones-come-pre-installed-with-unremovable-malware/,,0,0,1,0,0,0,0,0,0,"Build, Source, and Publishing Infrastructure Attack",Firmware Implant
unknown,unknown,2/4/20,0,"npm, PyPi, RubyGems.org","Six researchers from Georgia Tech (last author is Wenke Lee) build an analytical pipeline to analyze PyPI, Npm, and rubygems for malware. They identify 278 confirmed malware packages, including three with over 100K downloads, but do not provide a list of compromised packages.",https://arxiv.org/pdf/2002.01139.pdf,"To be conservative, it is assumed that all of the identified packages have been reported elsewhere.",0,0,0,0,0,0,0,1,0,Software Registry Attacks,Malicious Package
6/23/17,9/1/19,2/13/20,500,Chrome Web Store,500 Chrome extensions were found to infect users’ browsers and exfiltrate data as part of a larger campaign.,https://duo.com/labs/research/crxcavator-malvertising-2020,,0,0,0,0,0,0,0,1,0,Software Registry Attacks,Malicious Package
unknown,2/25/20,4/16/20,725,RubyGems.org,"The RubyGems.org codebase was searched for typosquatting packages that contained malware, and over 700 instances were found.",https://blog.reversinglabs.com/blog/mining-for-malicious-ruby-gems,,0,0,0,0,0,0,0,0,1,Software Registry Attacks,Typosquatting
unknown,4/19/20,4/19/20,1,RubyGems.org,The gem name pp was typosquatting on the standard library package of the same name.,https://github.com/rubygems/rubygems.org/issues/1959,,0,0,0,0,0,0,0,0,1,Software Registry Attacks,Typosquatting
1/1/16,7/12/19,4/28/20,8,Google Play Store,Attackers published spyware using a backdoor trojan injected in apps available in the Google Play store.,https://securelist.com/apt-phantomlance/96772/,,0,0,0,0,0,0,0,1,0,Software Registry Attacks,Malicious Package
11/1/15,11/30/19,5/19/20,143,"npm, PyPi, RubyGems.org","Researchers identified 174 malicious software packages that
were used in real-world attacks on open source software supply chains, and which were distributed via the popular package repositories npm, PyPI, and RubyGems from November 2015 to November 2019.",https://dasfreak.github.io/Backstabbers-Knife-Collection/,"There are 80 unique npm packages, 15 unique PyPI packages, and 48 unique RubyGems packages.",0,0,0,0,0,0,0,1,0,Software Registry Attacks,Malicious Package
unknown,3/9/20,5/28/20,1,Github,"Github was hosting malware designed to enumerate and backdoor NetBeans projects, and which uses the build process and its resulting artifacts to spread itself.
In the course of our investigation we uncovered 26 open source projects that were backdoored by this malware and that were actively serving backdoored code.",https://securitylab.github.com/research/octopus-scanner-malware-open-source-supply-chain,,1,0,0,0,0,0,0,0,0,"Build, Source, and Publishing Infrastructure Attack",Build System Compromise
unknown,unknown,6/18/20,111,Chrome Web Store,"Awake have harvested 111 malicious or fake Chrome extensions using GalComm domains for attacker command and control infrastructure and/or as loader pages for the extensions. These extensions can take screenshots, read the clipboard, harvest credential tokens stored in cookies or parameters, grab user keystrokes (like passwords), etc.",https://awakesecurity.com/blog/the-internets-new-arms-dealers-malicious-domain-registrars/,,0,0,0,0,0,0,0,1,0,Software Registry Attacks,Malicious Package
unknown,4/30/20,6/25/20,1,Golden Tax,the GoldenSpy malware is installed as part of the mandated Chinese Golden Tax VAT software produced by Aisino.,https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/the-golden-tax-department-and-the-emergence-of-goldenspy-malware/,,0,0,0,0,1,0,0,0,0,"Build, Source, and Publishing Infrastructure Attack",Publishing Infrastructure: Delivery System Compromise
unknown,unknown,7/7/20,1,CDATA OLT,"Numerous OLT models made by CDATA have multiple vulnerabilities in the device firmware that allow for remote access, code execution, decyryption of data, and other exploits. The reseacher who discovered these vulnerabilities believes they were intentionally included.",https://pierrekim.github.io/blog/2020-07-07-cdata-olt-0day-vulnerabilities.html,,0,0,1,0,0,0,0,0,0,"Build, Source, and Publishing Infrastructure Attack",Firmware Implant
unknown,unknown,7/8/20,1,Android Handsets,"MalwareBytes found another phone model with pre-installed malware provided from the Lifeline Assistance program via Assurance Wireless by Virgin Mobile. This time, an ANS (American Network Solutions) UL40 running Android OS 7.1.1.",https://blog.malwarebytes.com/android/2020/07/we-found-yet-another-phone-with-pre-installed-malware-via-the-lifeline-assistance-program/,,0,0,1,0,0,0,0,0,0,"Build, Source, and Publishing Infrastructure Attack",Firmware Implant
unknown,unknown,7/9/20,11,Google Play Store,11 apps containing the Joker malware were found in the Google Play Store.,https://research.checkpoint.com/2020/new-joker-variant-hits-google-play-with-an-old-trick/,,0,0,0,0,0,0,0,1,0,Software Registry Attacks,Malicious Package
unknown,unknown,8/24/20,1,Android Handsets,"Secure-D, has blocked millions of suspicious subscription requests coming from low-end devices made by Transsion, a Chinese manufacturer of affordable smartphones for the African market.
Many of the transaction requests originating from applications seem to be coming from a family of apps called com.mufc, whose source is unknown and which cannot be downloaded from any Android app store.
One thing that is certain, is the app’s malicious nature. It can set off a series of actions that turn user devices into vectors for click fraud. Almost every transaction attempt coming from these devices during the period was identified as fraudulent.
It’s also incredibly stubborn and there is no conventional way to purge it from the phone – even after a factory reset.
Tecno W2 devices came with Triada-related malware pre-installed.",https://www.upstreamsystems.com/well-known-malware-committing-click-ad-fraud-low-end-devices-emerging-markets-uncovered-secure-d/,,0,0,1,0,0,0,0,0,0,"Build, Source, and Publishing Infrastructure Attack",Firmware Implant
8/18/20,8/25/20,8/25/20,1,npm,fallguys contained malicious code that attempted to read local sensitive files and exfiltrate information through a Discord webhook.,https://www.npmjs.com/advisories/1552,,0,0,0,0,0,0,0,1,0,Software Registry Attacks,Malicious Package
unknown,unknown,9/27/20,17,Google Play Store,17 apps containing the Joker malware were found in the Google Play Store.,https://www.zdnet.com/article/google-removes-17-android-apps-doing-wap-billing-fraud-from-the-play-store/,,0,0,0,0,0,0,0,1,0,Software Registry Attacks,Malicious Package
5/20/20,6/16/20,10/16/20,1,PyPI,pandar was created to mimic pandac or pandas. It collects and exfiltrates user key strokes. IQT's pypi-scan was used to find this typosquatter. The package was reported to PyPI and subsequently removed.,https://www.iqt.org/pypi-scan/,,0,0,0,0,0,0,0,0,1,Software Registry Attacks,Typosquatting
unknown,12/13/20,12/13/20,1,SolarWinds Orion,An Orion software patch was delivered through its existing software release management system that included a backdoor that appears to have been inserted via a build system compromise.,https://blog.reversinglabs.com/blog/sunburst-the-next-level-of-stealth,,1,1,0,0,0,0,0,0,0,"Build, Source, and Publishing Infrastructure Attack",Build System Compromise
unknown,unknown,8/4/20,1,PyPI,typosquatting package called 'request' (original package 'requests'), the package connects to a C&C server and waits for a command, https://medium.com/@vuducly151092/analyzing-the-python-typosquatting-malicious-request-package-e80aeda925b0,,0,0,0,0,0,0,0,0,1,Software Registry Attacks,Typosquatting