New Supply Chain Attack Leveraging Entry Points in PyPI, npm, Ruby Gems & NuGet
- С сайта: Vulnerability(cybersecuritynews.com)
- Вернуться к списку новостей
С сайта: Vulnerability(cybersecuritynews.com)
A sophisticated supply chain attack has been identified, leveraging entry points in popular open-source package repositories, including PyPI (Python), npm (JavaScript), Ruby Gems, and NuGet (.NET).
This attack vector poses significant risks to both individual developers and enterprises, highlighting the need for more comprehensive security measures in the open-source landscape.
Entry points are designed to expose specific functionality as command-line interface (CLI) commands without requiring users to know the exact import path or structure of a package. However, attackers have found ways to leverage this feature for malicious purposes.
According to Checkmarx the attack works by creating malicious packages that define entry points mimicking popular third-party tools or system commands.
When unsuspecting developers install these packages and later execute the associated commands, they unknowingly trigger the execution of harmful code.
Sophisticated Entry points
Supply Chain Attack Leveraging Entry Points
Attackers employ various tactics to maximize the impact and stealth of their operations:
Command-Jacking : Malicious packages impersonate widely-used third-party tools like ‘aws’, ‘docker’, or ‘npm’. When developers use these commands, the fake versions can potentially exfiltrate sensitive information or compromise entire cloud infrastructures.
System Command Impersonation : Attackers create entry points that mimic fundamental system utilities such as ‘touch’, ‘curl’, or ‘ls’. The success of this method depends on the PATH order, with locally installed packages often taking precedence.
Command Wrapping : To avoid detection, some attackers implement a wrapper around the original command. This technique executes the malicious code silently while still running the legitimate command, preserving normal behavior and making the attack extremely difficult to detect.
The exploitation of entry points is not limited to the Python ecosystem but extends to other major ecosystems including npm (JavaScript), Ruby Gems, NuGet (.NET), Dart Pub, and Rust Crates.
Checkmarx said this widespread vulnerability underscores the need for a comprehensive understanding of how entry points function across various programming languages and package managers.
Implications and Mitigation
This new attack vector poses significant risks to both individual developers and enterprise systems. It has the potential to bypass traditional security checks and provide attackers with a stealthy, persistent method of compromising systems.
To mitigate these risks, experts recommend:
In light of these findings, developers and enterprises are urged to remain vigilant and take proactive steps to secure their open-source supply chains.
This includes conducting thorough security audits of packages, using trusted sources for package installations, and staying informed about the latest security threats and best practices in the open-source community.
#Cyber_Security #Cyber_Security_News #Vulnerability #cyber_security #cyber_security_news #vulnerability
Оригинальная версия на сайте:
New Supply Chain Attack Leveraging Entry Points in PyPI, npm, Ruby Gems & NuGet
Author: Guru BaranA sophisticated supply chain attack has been identified, leveraging entry points in popular open-source package repositories, including PyPI (Python), npm (JavaScript), Ruby Gems, and NuGet (.NET).
This attack vector poses significant risks to both individual developers and enterprises, highlighting the need for more comprehensive security measures in the open-source landscape.
Entry points are designed to expose specific functionality as command-line interface (CLI) commands without requiring users to know the exact import path or structure of a package. However, attackers have found ways to leverage this feature for malicious purposes.
According to Checkmarx the attack works by creating malicious packages that define entry points mimicking popular third-party tools or system commands.
When unsuspecting developers install these packages and later execute the associated commands, they unknowingly trigger the execution of harmful code.
Sophisticated Entry points
Supply Chain Attack Leveraging Entry Points
Attackers employ various tactics to maximize the impact and stealth of their operations:
Command-Jacking : Malicious packages impersonate widely-used third-party tools like ‘aws’, ‘docker’, or ‘npm’. When developers use these commands, the fake versions can potentially exfiltrate sensitive information or compromise entire cloud infrastructures.
System Command Impersonation : Attackers create entry points that mimic fundamental system utilities such as ‘touch’, ‘curl’, or ‘ls’. The success of this method depends on the PATH order, with locally installed packages often taking precedence.
Command Wrapping : To avoid detection, some attackers implement a wrapper around the original command. This technique executes the malicious code silently while still running the legitimate command, preserving normal behavior and making the attack extremely difficult to detect.
The exploitation of entry points is not limited to the Python ecosystem but extends to other major ecosystems including npm (JavaScript), Ruby Gems, NuGet (.NET), Dart Pub, and Rust Crates.
Checkmarx said this widespread vulnerability underscores the need for a comprehensive understanding of how entry points function across various programming languages and package managers.
Implications and Mitigation
This new attack vector poses significant risks to both individual developers and enterprise systems. It has the potential to bypass traditional security checks and provide attackers with a stealthy, persistent method of compromising systems.
To mitigate these risks, experts recommend:
- Implementing stricter vetting processes for third-party packages
- Regularly auditing installed packages and their entry points
- Using virtual environments to isolate potentially harmful packages
- Employing comprehensive security solutions that can detect suspicious entry points
In light of these findings, developers and enterprises are urged to remain vigilant and take proactive steps to secure their open-source supply chains.
This includes conducting thorough security audits of packages, using trusted sources for package installations, and staying informed about the latest security threats and best practices in the open-source community.
#Cyber_Security #Cyber_Security_News #Vulnerability #cyber_security #cyber_security_news #vulnerability
Оригинальная версия на сайте:
