Ethical Hacking News
Recent studies have revealed a growing trend of supply chain attacks across multiple programming ecosystems like PyPI, npm, Ruby Gems, NuGet, Dart Pub, and Rust Crates. These entry points can be used by cyber attackers to execute malicious code and potentially exfiltrate sensitive information without raising suspicion.
Supply chain attacks have become a growing concern, exploiting entry points in programming ecosystems like PyPI, npm, and others. Attackers use command-jacking to distribute malicious code by impersonating popular third-party tools and commands. Malicious plugins and extensions can be used to gain broad access to the codebase, changing program behavior or tampering with testing. The success of these attacks depends on the PATH order, particularly in development environments where local package directories are prioritized. Stealthy tactics like command wrapping allow attackers to maintain long-term access and potentially exfiltrate sensitive information without raising suspicion. A total of 512,847 malicious packages have been discovered across open-source ecosystems since November 2023, with a 156% year-over-year increase.
Supply chain attacks have become a growing concern in recent years, with cyber attackers exploiting entry points in programming ecosystems such as PyPI, npm, Ruby Gems, NuGet, Dart Pub, and Rust Crates. According to Checkmarx researchers Yehuda Gelb and Elad Rapaport, these entry points can be used to execute malicious code when specific commands are run, posing a widespread risk in the open-source landscape.
The concept of entry points is a powerful way to improve modularity in programming languages like Python, allowing developers to expose certain functionality as a command-line wrapper (also known as console scripts). Alternatively, they can also serve to load plugins that augment a package's features. However, this same feature could be abused to distribute malicious code to unsuspecting users.
One of the methods used by attackers is called command-jacking, where counterfeit packages use entry points that impersonate popular third-party tools and commands (e.g., aws and docker). This allows them to harvest sensitive information when developers install the package, even if it's distributed as a wheel (.whl) file. Some widely-used third-party commands that could be potential targets for command-jacking include npm, pip, git, kubectl, terraform, gcloud, heroku, and dotnet.
Another tactic used by attackers is to create malicious plugins and extensions for developer tools that have the capability to gain broad access to the codebase itself. This allows bad actors to change program behavior or tamper with the testing process to make it seem like the code is working as intended.
According to Checkmarx, the success of this approach primarily depends on the PATH order. If the directory containing the malicious entry points appears earlier in the PATH than the system directories, the malicious command will be executed instead of the system command. This is more likely to occur in development environments where local package directories are prioritized.
The effectiveness of command-jacking can be improved by a more stealthy tactic called command wrapping. This involves creating an entry point that acts as a wrapper around the original command, rather than replacing it altogether. The stealthy approach allows attackers to maintain long-term access and potentially exfiltrate sensitive information without raising suspicion.
The development comes as Sonatype, in its annual State of the Software Supply Chain report, revealed that over 512,847 malicious packages have been discovered across open-source ecosystems for Java, JavaScript, Python, and .NET since November 2023. A 156% jump year-over-year, compared to previous years.
"The traditional security tools often fail to detect these novel attacks, leaving developers and automated build environments highly vulnerable," the company said. "This has resulted in a new wave of next-generation supply chain attacks, which target developers directly, bypassing existing defenses."
To develop comprehensive security measures that account for entry point exploitation, it's crucial to understand and address these risks. By working towards a more secure Python packaging environment, we can safeguard both individual developers and enterprise systems against sophisticated supply chain attacks.
The threat of supply chain attacks highlights the importance of staying vigilant in today's complex cybersecurity landscape. As software development becomes increasingly intertwined with technology advancements, attackers will continue to evolve their tactics to exploit vulnerabilities in these ecosystems.
Related Information:
https://thehackernews.com/2024/10/supply-chain-attacks-exploit-entry.html
Published: Mon Oct 14 08:04:49 2024 by llama3.2 3B Q4_K_M
