Supply Chain Security: A Strategic Solution for a Resilient Future

Hijacking Open Source Software Packages: A Growing Threat to the Software Supply Chain

New Research Finds Waiting 14 Days for Updates Can Mitigate Package Hijack Attacks

In recent years, package hijacking has emerged as a popular method for attackers to rapidly spread malware throughout the software supply chain. This type of attack involves injecting malicious code into open source software packages, which are then downloaded and used by developers around the world. However, new research conducted by JFrog, a leading provider of software distribution tools, has found that users who wait about 14 days before updating these packages to new versions can avoid the downstream effects of package hijack attacks.

The researchers at JFrog investigated the compromise of various open source software packages, some of which had hundreds of millions of downloads. They analyzed the timespan it took for the attack to be discovered and how many times the package was downloaded before the malicious activity could be mitigated. The findings indicate that it can take anywhere from a few hours to more than a week for project developers or maintainers to discover the malicious code and produce an update that fixes the problem. Therefore, waiting about two weeks before updating to any new version of an open source software package is generally a safe bet.

Shachar Menashe, senior director of security research at JFrog, explained the significance of this timeframe, stating, “Users that will wait about 14 days before updating to the latest version of a package should be immune from package-hijacking attacks, since in that timeframe the attack should be discovered and the malicious versions of the package will be removed.”

The Rise of Package Hijacking

Package hijacking occurs when either an external threat actor or a project developer/maintainer injects malicious code into an update of the package. This method has become increasingly popular due to the rise of package repositories like npm and PyPI, which provide direct routes for attackers to infect tens of thousands of users within days. It is often easier to compromise a developer’s account on a repository site than to find and exploit a critical zero-day vulnerability, making package hijacking both easier and more impactful than traditional vulnerability attacks.

Time to Detection Matters

JFrog researchers focused on understanding the time it takes for users to realize that a package has been hijacked and for developers to release an update that resolves the issue. This timeframe is critical because it determines how long users remain susceptible to the attack. The researchers analyzed various examples of package hijacking, including external package hijacks and self-package hijacks.

External Package Hijacks

Examples of external package hijacking examined by JFrog researchers include the hijacking of the PyTorch Python library, the ua-parser-js and coa software packages. The PyTorch hijacking took users five days to discover, during which time the package was downloaded over 3,000 times. The parser and coa hijacks were detected within hours of their release. PyTorch has over 180 million downloads, while ua-parser-js and coa are downloaded nearly a billion and nine million times weekly, respectively. These hijacks highlight the significant impact that attackers can achieve by compromising widely used packages.

Self-Package Hijacks

The JFrog team also investigated self-package hijacking, where developers or maintainers inject malicious code as a form of protest. Examples of self-package hijacking included the “colors” and “faker” npm packages that were sabotaged in January 2022 by the author with an infinite loop. These hijacks were detected two days after release and severely affected numerous software projects that depend on these packages. In March 2022, a developer added code to the node-ipc package that corrupted the file system of Russian and Belarusian machines to protest against the 2022 Russian invasion of Ukraine. It took approximately eight days to discover this issue after the release of the malicious version of the package.

Further Mitigations and Recommendations

In addition to waiting about two weeks before updating software packages, developers and organizations can take several steps to address the threat of software supply chain attacks. JFrog suggests vetting packages carefully before including them in software projects. Curation tools are available that allow organizations to define rules for package access, such as blocking the downloading of third-party packages released within the past 14 days. These tools can help prevent the download of packages from public repositories that carry potential security risks.

JFrog has also published a blog post to help developers and organizations detect how malicious code is hidden within software packages, enabling them to avoid using these compromised packages in their projects.

Conclusion: Building Resilience for the Future

The increasing prevalence of package hijacking attacks highlights the urgent need for improved security measures in the software supply chain. As the reliance on open source software continues to grow, it is crucial that developers and organizations prioritize the security and integrity of the packages they use. Implementing regular security audits and adopting best practices for vetting, updating, and distributing software packages can significantly reduce the risk of falling victim to package hijack attacks.

The findings from JFrog’s research provide valuable insights into the time it takes for package hijacks to be detected and mitigated. By waiting approximately two weeks before updating to new versions of open source software packages, users can greatly reduce their vulnerability to package hijacking attacks. However, this should not be the only defense. It is imperative that developers and organizations remain vigilant, stay informed about emerging security threats, and take proactive measures to secure their software supply chain.