Identifying OSS Security Risks To Safeguard Software Supply Chains

Software development has seen something of a revolution over the past decade, with the leading force behind this being the rise of open source. Alongside the rise of open source software (OSS) itself, a dedicated community has formed leading to the creation of repositories where software packages can be held, shared and utilised. Of these, the npm stands out as one of the world's largest software development tools and repositories dedicated to housing JavaScript packages.

Despite the obvious advantages of open source, it’s not immune from misuse, with bad actors utilising repositories to disseminate compromised software and threaten the security of the overall software supply chain.

A recent npm registry violation has shown just how quickly these threats can arise, highlighting the urgent need for organisations to strengthen their risk management strategies.

Misuse of Open Source Repositories

The npm registry plays a crucial role for developers, allowing them to publish and access software components effortlessly. Sonatype recently discovered a significant surge in multimedia packages flooding the npm registry from a user named 'wlwz.' While multimedia assets are often a legitimate part of software applications, this particular asset dump was noteworthy because of its volume (748 packages were uploaded) and content – each package contained partial video clips, which appear to be extracted movies from pirated Blu-Rays and DVDs. 

Though pirated content may seem to be a relatively minor violation, even minor misuse of OSS carries significant dangers as it clouds the clarity of these repositories, and goes directly against their intended purpose, which is to host software projects. Operating in a muddied environment makes it easier for malicious actors to disguise harmful components, making it difficult for developers to distinguish between legitimate software and potentially malicious components. Developers may unknowingly integrate these components into their projects as a result, posing a serious risk to the integrity and security of the software.

The Content Verification Challenge

Over the last two to three years, there have been hundreds of reports about OSS registries being infiltrated by crypto-miners, spam packages, and dependency confusion attacks. Alongside unintentionally disseminating malware, registries can have OSS components that are vulnerable to zero-day attacks, like Log4Shell. These incidents reflect a concerning trend in the evolution of user tactics, with attackers demonstrating greater complexity and sophistication in their methods. Unchecked, attacks like these threaten the integrity of entire repositories which, due to their widespread use, threatens the entire software supply chain.

The SolarWinds Orion Platform hack is an example of how widespread and devastating these attacks can be. Malicious code can undermine software hygiene, leading to data breaches, interconnected system intrusions, and system compromises. The infiltrations extend the risk to customers, partners, and stakeholders, resulting in reputational damage and financial losses.

With such high stakes, one of the key challenges developers face is distinguishing between legitimate and malicious packages on OSS repositories. While some multimedia assets may not be dangerous, others could conceal harmful payloads like trojan malware and other malicious programs.

Robust security measures and continuous monitoring are crucial to detect and mitigate such threats effectively, safeguarding the software supply chain's resilience against future breaches.

Importance Of Security

Bad actors don’t just rely on highly choreographed and sophisticated attacks, sometimes their tactics are relatively benign. Some of these are insidiously simple but nonetheless effective. These tactics include account takeovers, brand jacking, and typosquatting – where attackers upload corrupted packages with names similar to popular ones already in use.

Distinguishing between legitimate and malicious code on OSS registries presents a significant challenge. The sheer scale of this issue and the variety of tactics unfortunately means that human intelligence alone cannot adequately monitor every package and identify the corrupted ones. Multiply this by the number of dependencies on any given software package and the true scope of the problem comes to light. Therefore, it's vital to stress the importance of implementing effective DevSecOps solutions with automation to help uphold platform integrity.

Misuse of open source registries poses risks that escalate through the development lifecycle. Hosting illicit content undermines trust and security, as it can potentially impact interconnected systems. Considering that vulnerabilities can have far-reaching consequences and threaten the resilience and trustworthiness of the entire software supply chain, protecting these platforms is critical.

Safeguarding The Software Supply Chain

Safeguarding the software supply chain is a shared responsibility for developers, administrators, and organisations. Enforcing strict security protocols and upholding platform terms of service are crucial steps in discouraging non-software content hosting and maintaining platform integrity. Developers must adhere to industry best practices and refrain from uploading irrelevant content to ensure the reliability of software components.

By raising awareness about misuse and implementing these preventive measures, the open source community can effectively mitigate the risks posed by repository misuse and maintain the integrity of the software supply chain. Partnerships and vigilance will ensure that open source remains a trusted and valuable resource for developers worldwide in their new project builds. 

Ax Sharma is a Security Researcher at Sonatype 

Image: Ideogram

You Might Also Read: 

Cyber Criminals Exploit Legitimate Software:

___________________________________________________________________________________________

If you like this website and use the comprehensive 6,500-plus service supplier Directory, you can get unrestricted access, including the exclusive in-depth Directors Report series, by signing up for a Premium Subscription.

  • Individual £5 per month or £50 per year. Sign Up
  • Multi-User, Corporate & Library Accounts Available on Request

Cyber Security Intelligence: Captured Organised & Accessible


 

« Surge in “Hunter-Killer” Malware

« British Navy Combines With The Japanese Military To Counter Cyber Attacks
Insights From An Early Adopter Of Microsoft 365 Copilot »

Infosecurity Europe
CyberSecurity Jobsite
Perimeter 81

Directory of Suppliers

North Infosec Testing (North IT)

North Infosec Testing (North IT)

North IT (North Infosec Testing) are an award-winning provider of web, software, and application penetration testing.

IT Governance

IT Governance

IT Governance is a leading global provider of information security solutions. Download our free guide and find out how ISO 27001 can help protect your organisation's information.

ManageEngine

ManageEngine

As the IT management division of Zoho Corporation, ManageEngine prioritizes flexible solutions that work for all businesses, regardless of size or budget.

XYPRO Technology

XYPRO Technology

XYPRO is the market leader in HPE Non-Stop Security, Risk Management and Compliance.

Resecurity

Resecurity

Resecurity is a cybersecurity company that delivers a unified platform for endpoint protection, risk management, and cyber threat intelligence.

Kaymera Technologies

Kaymera Technologies

Kaymera’s comprehensive mobile enterprise security solution defends against all mobile threat and attack vectors.

Paladion

Paladion

Paladion is a provider of managed IT security services.

CUIng.org

CUIng.org

The CUIng initiative was launched to tackle the problem of criminal exploitation of information hiding techniques.

CyberSift

CyberSift

CyberSift is a cyber security provider. We develop threat detection software which needs no infrastructure changes as it integrates with almost any security tool.

Responsible Cyber

Responsible Cyber

Protect yourself with Responsible Cyber’s 360° platform, IMMUNE, arming you with comprehensive support for your business.

BIO-key

BIO-key

BIO-key is a pioneer and innovator, we are recognized as a leading developer of fingerprint biometric authentication and security solutions.

International Association of Security Awareness Professionals (IASAP)

International Association of Security Awareness Professionals (IASAP)

IASAP provides a members-only virtual sharing platform where security awareness professionals engage in a lively, year-round exchange of information and ideas.

SnapAttack

SnapAttack

SnapAttack is a collaborative platform that empowers your security team to stay ahead of threats, create robust behavioral analytics for your existing tools, and prove your program's effectiveness.

Symbol Security

Symbol Security

Through situational learning, simulations, and a gamified user experience, Symbol strengthens the cyber awareness of employees and helps companies lower cyber risk.

iVision

iVision

iVision is a technology integration and management firm that engineers success for clients through objective recommendations, process and technology expertise and best-of-breed guidance.

Trackd

Trackd

At trackd, we’re re-imaging vulnerability remediation for the benefit of the entire cyber security community. Automating Vulnerability Remediation without the Fear of Disruption.

VENZA

VENZA

VENZA is a data protection company that can help organisations mitigate their vulnerabilities and ensure compliance, keeping guests and their data safe from breaches.

Chestnut Hill Technologies (CHT)

Chestnut Hill Technologies (CHT)

CHT provide Best Practices IT Cybersecurity and Technology Solutions and Consulting Support to the Mid Cap through Fortune 1000 Nationwide.

Strata Information Group (SIG)

Strata Information Group (SIG)

Strata Information Group (SIG) is a trusted partner in IT solutions and consulting services.

Netia

Netia

Netia is a Polish telecommunications company providing a range of business services including network solutions, communications, data centre and cloud, and cybersecurity.

Ryan Financial Lines

Ryan Financial Lines

Ryan Financial Lines Cyber provides risk transfer solutions for complex cyber and technology exposures, globally.