Npm timing attack, legit software spreads malware, Mango Markets hacked

Npm timing attack could impact supply chain Security researchers at Aqua Security found a way to determine which private packages are present in a GitHub repository. This uses the

small time difference in returning a 404 error based on whether the package is private or simply not there. The caching mechanism of npm’s API appears to cause the timing

difference. This can vary by a few hundred milliseconds. This opens the door for attackers to create malicious clones or typosquatted versions of the packages. Ultimately these

clones could make their way into production software, and then to consumers. Aqua contacted GitHub on March 8th. GitHub said it could not fix the issue, citing architectural

limitations. (Bleeping Computer) Legit software used to spread malicious WhatsApp mod Researchers at Kaspersky discovered a trojan lurking in a modified WhatsApp build called

YoWhatsApp. This still provides a full working app with a customized interface, but grants the trojan access to full device permissions granted to WhatsApp. The researchers

discover the modified app spread through several non-malicious apps. This includes ads in the app Snaptube, and uploaded to the internal store of the video app Vidmate. The trojan

can be used to take over an account, or cause a user to unknowingly subscribe to services.  (SecureList) Mango Markets hit by $100 million hack The Solana blockchain trading

platform certainly experienced an escalation on what happened in the attack. It said on the evening of October 11th there was “an incident” with an attacker draining funds. By

mid-day on the 12th, it said market manipulation allowed an attacker to drain about $100 million. Mango said this “effectively resulted in a total draining of all equity

available” and paused withdrawing deposits. The attacker essential staked out a large position on the blockchain, traded against themself on other exchanges to inflate prices,

and then made a Mango governance proposal on its DAO to waive any criminal investigation and not be liable for any “bad debts.” It had the market power to vote on this with 99%

yes votes.  (Fortune) Microsoft adds security and collaboration features to Edge Microsoft keeps adding features to its Chromium-based Edge browser, and this time they’re not

for ecommerce! The browser will bring typo protection for website URLs, offering suggestions for commonly misspelled sites. This could potentially avoid typo squatting attacks.

There’s also a new opt-in feature which will apply the browsers most conservative content settings when on an unfamiliar site. This would turn off just-in-time JavaScript