Microsoft has uncovered a supply chain attack involving malicious npm packages registered under organizational scopes that mirror real internal corporate namespaces, employing dependency confusion technique to deploy a reconnaissance payload. msft.it/6010vZhZ4 A threat actor operating under three maintainer aliases, mr.4nd3r50n, ce-rwb, and t-in-one, published malicious packages that impersonate internal corporate packages, with several spoofing internal enterprise infrastructure URLs in their package.json to appear legitimate. Once installed, the packages download and execute an obfuscated payload from an attacker-controlled command-and-control (C2) server to collect system information, hostnames, environment variables, and developer context. Read the blog for in-depth analysis and mitigation, detection, and hunting details.

Google Chrome is rolling out device-bound session credentials to all users. Session cookies get cryptographically tied to your device, so stolen cookies can't be replayed from a different machine. Attackers who exfiltrate your cookie database get nothing usable.