A good developer is an efficient developer and part of being an efficient developer is not re-inventing the wheel for every project or solution. As a result, many of us leverage the benefits of freely available open source software and/or packages to save time and effort and let us achieve our functionality and features faster. And while these open source solutions save significant time, effort, and headaches, importing others’ code into our projects exposes us to potential risks and vulnerabilities we otherwise wouldn't face if we developed all our code ourselves.
One continually evolving attack vector for nefarious actors is the software supply chain, particularly within open source software package solutions and repositories. Many of these exploits are not sophisticated, but they are particularly potent due to their ease of execution, potential wide impact across organizations and projects, and difficulty to detect. These exploits include, but are not limited to:
- RepoJacking - identifying vulnerable legitimate open source repositories (e.g., no 2FA authentication) and using brute-force or phishing tactics to secure access to the project and surreptitiously adding code or dependencies without the original authors or consumers noticing. Additionally, attackers have leveraged the user renaming capability within GitHub to take over a previously legitimate project.
- StarJacking - effectively "cloning" the star rating/download numbers of an upstream project to lend (false) credibility to a nefarious package (e.g., creating a new package on PyPi and sending PyPi metadata indicating it is a fork of a legitimate project, whereas in fact it is not).
- TypoSquatting - creating malicious packages with names derived from other popular reputable packages in the hopes that developers typo the name in their package manifests and pull the malicious package on accident (e.g., attackers naming an NPM package reqest, reuqest, requesst in hopes a developer makes a mistake an imports the attacker's package rather than the legitimate one)
- Dependency Confusion - cloning the code from a legitimate project and simply adding an otherwise unneeded package dependency on a malicious package. This attack can be implemented by RepoJacking or an iteration on the above Typo Squatting.
- Source Control Action/Automation Manipulation - leveraging CI automation tools (e.g., GitHub actions) to automatically build and run malicious code during push or release actions
Checkmarx team of researchers and engineers proactively pull down and test thousands of packages published weekly within a dedicated “detonation chamber” environment to identify and index nefarious or exploited packages and we report our findings to the relevant package management platform. In our testing, we have observed many of these exploits occurring "in the wild," and while there are no clear-cut solutions, there are relatively small actions we as open source community members can take to avoid hackers from exploiting the fruits of their spoils. These actions include (but are not limited to):
- Developers can ensure they only import dependencies (and those dependencies' dependencies) that are needed.
- Developers can ensure our package manifests are free of typos and are using strict versioning so as to prevent automated upgrading of packages
- Developers can leverage both static and dynamic code scanning and SCA analysis to identify vulnerabilities early and ensure their projects and software are not "calling home" to unknown destinations
- Open source developers can implement 2FA for their open source software project repositories to prevent brute force attacks and takeover of projects
- Package and repository solutions (e.g., NPM, Pypi, GitHub) can enforce project forking tracking and improve project credibility enforcement to prevent or mitigate StarJacking
- Package and repository solutions, open source developers, and security organizations can establish and agree upon a common standard for identifying and flagging malicious software packages and repositories to improve identification, detection, and removal of malicious software packages and code (target resolving the "Package Naming Problem")
Ultimately, improving security within the open source community is our responsibility as developers, project contributors, and stewards. Checkmarx can help you and your organization protect your applications from software supply chain vulnerabilities through our suite of application scanning tools such as Checkmarx Supply Chain Security offering (SCS), SAST, and KICS, all of which are available as services within the integrated Checkmarx One platform. Often, and given the nature of supply chain attacks, we need to correlate the results from multiple scans to identify vulnerabilities or malicious code within our projects.
With Checkmarx Fusion correlation engine integrated within Checkmarx One, we automate and illustrate the results from these multiple scans to make it simple and easy for developer teams and information security teams to identify and remediate quickly. Lastly, be sure to check out our open source tool, ChainJacking, which can help you identify which of your direct GitHub dependencies are susceptible to RepoJacking attacks.
For more information, watch our recent session at The Linux Foundation Open Source Summit North America entitled The Simple, Yet Lethal, Anatomy of a Software Supply Chain Attack presented by Jossef Harush, Head of Engineering of Supply Chain Security at Checkmarx. Additionally you can download the Understanding Open Source Supply Chain Attacks whitepaper.
