Your Security Program Could Be a Hacking Tool? Here's an Easy Explanation of Supply Chain Attacks That Even Developers Fell For

 

📋 Table of Contents

1. Wait, the security tool I trusted became a hacking tool?
2. So what exactly got stolen and how much?
3. I'm not a developer, but am I at risk too?
4. Here's what you can do right now that actually makes a difference
5. Frequently Asked Questions

Wait, the security tool I trusted became a hacking tool?

You know that program your IT team at work sends you saying "Please install this"? You obviously trust it because they say it's a security tool, so you install it without thinking. But what if that installation file itself was already hacked? Just thinking about it gives you chills, right?

Well, that's exactly what happened this time. There's this program called Trivy, which is originally a tool that developers use to check if their software has security vulnerabilities. In simple terms, it's like "an antivirus program but for developers to check code security." But this security checker itself got breached by attackers.

The attackers secretly broke into the system that distributes Trivy and uploaded a malicious version as if it were the real thing. So from a developer's perspective, the file they got from the "official website" was actually a hacking tool. Honestly, even experts would have a hard time spotting this right away.

CAUTION This is what a supply chain attack is. It's not about you clicking a suspicious link or downloading a sketchy file yourself. Instead, the official software you trust is distributed in an already-infected state. This is scarier because you can fall victim to it no matter how careful you are.

So what exactly got stolen and how much?

The software affected by this incident is honestly massive. Besides Trivy, another development tool called TanStack was also compromised, and through these two tools, a whole chain of other software got infected one after another. It was like dominoes falling.

Affected Area	Scale
npm packages (JavaScript development tools collection)	64+ packages
TanStack packages (UI development tools)	42 packages, 84 versions
PyPI packages (Python development tools collection)	Including litellm, telnyx, etc.
VS Code extensions	Multiple affected
Severity level (CVSS score, out of 10)	9.4 / 9.6 points

If the CVSS score is in the 9s, it's basically the highest danger category. For reference, a score of 10 means "it's the kind of thing that would flip the entire world upside down." So 9.4 and 9.6 are essentially at that level.

And when this malicious file gets installed, it secretly plants pgmon or sysmon backdoors inside your computer. Through these backdoors, attackers stay in regular contact with their server (C2 server) and continuously steal information.

TIP A backdoor is a secret passage that hackers create so they can get back in later. Think of it like your front door is locked, but there's a key hidden in the back door that only the hacker knows about.

The list of leaked information is absolutely massive too. Cloud authentication credentials for AWS, GCP, and Azure, SSH keys (server login passwords), cryptocurrency wallet info for Bitcoin and Ethereum, database passwords, and even .env files (development environment configuration files) were all stolen. Seriously, there's nothing left.

I'm not a developer, but am I at risk too?

You might be thinking, "Well, I'm not a developer, so I should be fine, right?" But actually, that's not necessarily true. Even if you don't directly use these tools, you can still be indirectly affected.

Let me give you an example. You know those internal company systems, online shopping malls, and app services you use every day? If the development team that built them was using one of these compromised tools, then their server information got stolen. And if my personal info or payment details are on that server? Yeah, I'm connected to the problem.

Also, these days a lot of people who work in IT at companies use a program called VS Code (Visual Studio Code). Since VS Code extensions were also affected in this incident, even if you're not a developer, if you use this program, you should probably check it out.

CAUTION If your cloud account credentials were leaked, you need to change your password immediately. If you're using cloud services like AWS, GCP, or Azure for work, it's safest to regenerate your tokens and change your passwords right now as a precaution.

Here's what you can do right now that actually makes a difference

Don't panic. There are definitely things you can do. Just following these three steps will make a huge difference.

1

If you're a developer or IT person, check your versions right now. If you're using software affected by this incident like Trivy, TanStack, or litellm, check your version and update to the latest clean version. And you absolutely need to check if there are any suspicious files in the ~/.local/share/pgmon/ or ~/.config/sysmon/ directories.

2

Regenerate all your cloud and GitHub tokens. If you've ever worked in a potentially infected environment, it's safer to invalidate all your npm tokens, PyPI tokens, GitHub tokens, AWS access keys, etc., and get new ones issued. Even though it's annoying, this is the most reliable method.

3

Report suspicious activity immediately. If you detect strange network communication on your computer or server, or suspect a breach, you can immediately report it to KISA's BoHo website (boho.or.kr). Don't try to solve it yourself—getting help from professionals is much faster and safer.

TIP For regular users, it's really important to get in the habit of checking "recent login history" in the apps and services you use. If you see login records from devices or locations you've never used, change your password right away and turn on two-factor authentication.

Frequently Asked Questions

Q. I've never even heard of Trivy or TanStack. This has nothing to do with me, right?

A. If you're not using them directly, your direct risk is low. But the development team that created the services or company systems you use might have been using these tools. If their server info gets leaked, your information could indirectly be at risk too. That's why setting up two-factor authentication on important accounts is the best preventive measure.

Q. Can't I even trust files from official websites?

A. With supply chain attacks like this one, the official distribution system itself can be breached, so you can get infected even through official channels. That's why companies and development teams shouldn't rely solely on automatic software updates—it's good to also verify hash values (file unique authentication numbers) and subscribe to official security announcements. For regular users, just not installing extensions from unclear sources already makes you much safer.

This incident might feel like a story from far away, but honestly, it's way more connected to our daily lives than you'd think. The apps you use every day, your company systems, and your payment info are all connected through someone's development environment somewhere. I'm not saying this to scare you—but by knowing this kind of thing happens and just taking basic precautions, you'll be much safer. If you know any developer friends, it might be good to share this with them! 😊

Reference Sources
KISA BoHo & KrCERT/CC Official Security Announcement
View Original

#SupplyChainAttack #SecurityNews #Trivy #TanStack #HackingAlert #KISA #DeveloperSecurity #CyberSecurity