1. Home
    2. »
  2. Blog
    3. »
  3. Other
    4. » Securing the Software Supply Chain: Detecting and Responding to Compromised Packages Due to Maintainer Account Compromises

Securing the Software Supply Chain: Detecting and Responding to Compromised Packages Due to Maintainer Account Compromises

- Posted in Other by - Permalink
Securing the Software Supply Chain: Detecting and Responding to Compromised Packages Due to Maintainer Account Compromises

Background: Today, we heavily rely on open-source developed packages and solutions. Previous lessons have shown that compromises in these solutions can pose critical threats. These solutions serve as entry points for attackers to bypass restrictions such as firewalls and deliver their code into your private solution core. This article will help you understand the depth of this issue and how to increase the chances of detecting such compromises, even when no one is aware of them and there are no public notifications.

Pre-infection stage: There are numerous hubs that provide the capability to collect packages for specific languages and solutions in one place. Examples include DockerHub, PyPI, npmjs, Maven, NuGet, and more. Unfortunately, attackers can exploit leaked credentials from these platforms, particularly those belonging to package maintainers. Even if platform owners require package publishers to use Multi-Factor Authentication (MFA), attackers can bypass this security measure with the help of stolen cookies. In some cases, threat actors can leverage these vulnerabilities to alter package code or any references to it. As a result, all developers using the compromised dependency will be impacted, as the harmful code can be delivered to their codebase at runtime.

Detection: To detect threats that may arise from npmjs, PyPI, and similar platforms, I recommend utilizing dynamic detection methods that involve specific activities. Firstly, it is crucial to have an isolated machine equipped with Endpoint Detection and Response (EDR), Extended Detection and Response (XDR), or any other solution designed to protect your working environment. Next, you can automatically collect the list of used packages from the version control system and execute them on this isolated environment. Subsequently, you can implement MITRE ATT&CK detection stages on that machine and employ other methods to detect, for example, obfuscated commands, Command-and-Control (C2) connections, and so on. While relying on maintainers' public notifications is important, it's essential to note that by the time such notifications are made, it may already be too late for your codebase. enter image description here

Current threat landscape: Current checks indicate that thousands or more credentials, along with cookies, have been leaked for npmjs, PyPI, and other platforms. This provides potential threat actors with the opportunity to search through these sources and identify suitable candidates for injecting harmful chunks of code.

Mitigation steps: 1. Always use the exact version of a dependency in package.json, Dockerfile, requirements.txt, and other places. This practice can increase the likelihood that you will not be impacted if a newer version of the dependency is infected with harmful code. 2. Always monitor your dependencies in an isolated platform and implement a notification system to stay informed about any potential security issues or updates related to your dependencies.

Happy Hunt ! Jok3r

Tags:

Related posts

« »