Skip to main content

What is Supply Chain Threat Intelligence?

Supply chain attacks are perpetrated by causing developers to download packages that initiate harmful activities on the developer's PC. This can provide hackers with access to sensitive information and introduce severe risks down-the-line in the development process. Supply chain security focuses on protecting the entire process of creating and distributing software, from the initial development to the final delivery to the end user.

Checkmarx has developed a proprietary Supply Chain Security (SCS) database that contains ~150,000 packages that we have identified as posing supply chain risks, and we are constantly updating it with new findings.

Supply Chain Threat Intelligence is a new product offered by Checkmarx that enables you to access our SCS database in order to identify suspicious packages before they are introduced into your environment.

To use this tool, you simply submit an API call with a list of packages that you plan to use, and the API returns detailed info about any possible supply chain risks posed by any of those packages.

How We Detect Supply Chain Risks

The Checkmarx SCA scanner identifies packages with a wide range of supply chain risks, and lists those risks in the scan results. Checkmarx SCA identifies supply chain vulnerabilities of the following types:

  • Reputation - There is reason to suspect the credibility of the owner or contributors of the package, e.g., a newly created user is registered as the package owner.

  • Reliability - There are irregularities in the naming or maintenance patterns of the package, e.g., Typesquatting, or Chainjacking.

  • Behavior - The behaviors of the package are unsafe. The package may be malicious by design or it may inadvertently introduce risks into your project. This category includes packages that exfiltrate info about OSs, user credentials etc.

The following table shows some examples of supply chain risks of each type that are identified by Checkmarx SCS Threat Intelligence.

Title

Description

Reputation

New User

The owner of this package is a newly created user.

Protestware

Software that includes functionality which aims to protest or raise an issue - learn more

Repojacking

Taking over the repository of a legitimate package - learn more

Account takeover

The compromise of a good maintainers account by an attacker which is then used to spread malicious packages - learn more

Reliability

Dependency Confusion

This package introduces the risk of substituting a package from a public registry in place of a similarly named package in a private registry. For example, it uses private packages for which the namespace is unreserved on the public registry. learn more

Typosquatting

This package mimics the name of a popular package, inducing users to inadvertently call this package. learn more

StarJacking

There is a weak link between the package metadata and the referenced Git repository. learn more

Chainjacking

This package is stored in a renamed GitHub repository, making it vulnerable to an attacker taking control of the repo and serving malicious code through the package. learn more

Behavior

Harmful File Download

This package downloads a harmful file.

Malicious Package

This package was manually inspected by a security researcher and flagged as being malicious by design. learn more

Data Exfiltration

This package exfiltrates computer and operating system information.

Data Exfiltration

This package exfiltrates stored credentials and sensitive information.

Network Anomaly

This package sends information via DNS Tunneling, which exploits the highly trusted DNS protocol to tunnel malware and other data through a client-server model.

Network Anomaly

This package communicates with a service (domain address) commonly used by attackers.

Crypto Miner

This package executes crypto mining software.

Examples

The following are some examples of suspicious packages with various types of SCS risks that we have identified:

Package type

Package name

Version(s)

Attack vector used

npm

node-ipc

9.2.2

Protestware

npm

momnet

any

Typosquatting

npm

ua-parser-js

0.7.29

Account Takeover

npm

flow-dev-tools

any

Dependency Confusion

rubygems

pretty_color

any

Typosquatting

npm

zvkenxparfbmksjo

any

Cryptominer

mvn

com.github.codingandcoding:mail-watcher-plugin

any

Typosquatting

pypi

10cent10

any

Reverse Shell

npm

easy-stack

any

At Risk due to correlation to risky maintainer

go

github.com/maximabramchuck/awesome-interviews

any

Risk of Repojacking

pypi

python-io-wrapper

any

Expired Email Domain