Identifying OSS Security Risks To Safeguard Software Supply Chains

Software development has seen something of a revolution over the past decade, with the leading force behind this being the rise of open source. Alongside the rise of open source software (OSS) itself, a dedicated community has formed leading to the creation of repositories where software packages can be held, shared and utilised. Of these, the npm stands out as one of the world's largest software development tools and repositories dedicated to housing JavaScript packages.

Despite the obvious advantages of open source, it’s not immune from misuse, with bad actors utilising repositories to disseminate compromised software and threaten the security of the overall software supply chain.

A recent npm registry violation has shown just how quickly these threats can arise, highlighting the urgent need for organisations to strengthen their risk management strategies.

Misuse of Open Source Repositories

The npm registry plays a crucial role for developers, allowing them to publish and access software components effortlessly. Sonatype recently discovered a significant surge in multimedia packages flooding the npm registry from a user named 'wlwz.' While multimedia assets are often a legitimate part of software applications, this particular asset dump was noteworthy because of its volume (748 packages were uploaded) and content – each package contained partial video clips, which appear to be extracted movies from pirated Blu-Rays and DVDs. 

Though pirated content may seem to be a relatively minor violation, even minor misuse of OSS carries significant dangers as it clouds the clarity of these repositories, and goes directly against their intended purpose, which is to host software projects. Operating in a muddied environment makes it easier for malicious actors to disguise harmful components, making it difficult for developers to distinguish between legitimate software and potentially malicious components. Developers may unknowingly integrate these components into their projects as a result, posing a serious risk to the integrity and security of the software.

The Content Verification Challenge

Over the last two to three years, there have been hundreds of reports about OSS registries being infiltrated by crypto-miners, spam packages, and dependency confusion attacks. Alongside unintentionally disseminating malware, registries can have OSS components that are vulnerable to zero-day attacks, like Log4Shell. These incidents reflect a concerning trend in the evolution of user tactics, with attackers demonstrating greater complexity and sophistication in their methods. Unchecked, attacks like these threaten the integrity of entire repositories which, due to their widespread use, threatens the entire software supply chain.

The SolarWinds Orion Platform hack is an example of how widespread and devastating these attacks can be. Malicious code can undermine software hygiene, leading to data breaches, interconnected system intrusions, and system compromises. The infiltrations extend the risk to customers, partners, and stakeholders, resulting in reputational damage and financial losses.

With such high stakes, one of the key challenges developers face is distinguishing between legitimate and malicious packages on OSS repositories. While some multimedia assets may not be dangerous, others could conceal harmful payloads like trojan malware and other malicious programs.

Robust security measures and continuous monitoring are crucial to detect and mitigate such threats effectively, safeguarding the software supply chain's resilience against future breaches.

Importance Of Security

Bad actors don’t just rely on highly choreographed and sophisticated attacks, sometimes their tactics are relatively benign. Some of these are insidiously simple but nonetheless effective. These tactics include account takeovers, brand jacking, and typosquatting – where attackers upload corrupted packages with names similar to popular ones already in use.

Distinguishing between legitimate and malicious code on OSS registries presents a significant challenge. The sheer scale of this issue and the variety of tactics unfortunately means that human intelligence alone cannot adequately monitor every package and identify the corrupted ones. Multiply this by the number of dependencies on any given software package and the true scope of the problem comes to light. Therefore, it's vital to stress the importance of implementing effective DevSecOps solutions with automation to help uphold platform integrity.

Misuse of open source registries poses risks that escalate through the development lifecycle. Hosting illicit content undermines trust and security, as it can potentially impact interconnected systems. Considering that vulnerabilities can have far-reaching consequences and threaten the resilience and trustworthiness of the entire software supply chain, protecting these platforms is critical.

Safeguarding The Software Supply Chain

Safeguarding the software supply chain is a shared responsibility for developers, administrators, and organisations. Enforcing strict security protocols and upholding platform terms of service are crucial steps in discouraging non-software content hosting and maintaining platform integrity. Developers must adhere to industry best practices and refrain from uploading irrelevant content to ensure the reliability of software components.

By raising awareness about misuse and implementing these preventive measures, the open source community can effectively mitigate the risks posed by repository misuse and maintain the integrity of the software supply chain. Partnerships and vigilance will ensure that open source remains a trusted and valuable resource for developers worldwide in their new project builds. 

Ax Sharma is a Security Researcher at Sonatype 

Image: Ideogram

You Might Also Read: 

Cyber Criminals Exploit Legitimate Software:

___________________________________________________________________________________________

If you like this website and use the comprehensive 6,500-plus service supplier Directory, you can get unrestricted access, including the exclusive in-depth Directors Report series, by signing up for a Premium Subscription.

  • Individual £5 per month or £50 per year. Sign Up
  • Multi-User, Corporate & Library Accounts Available on Request

Cyber Security Intelligence: Captured Organised & Accessible


 

« Surge in “Hunter-Killer” Malware

« British Navy Combines With The Japanese Military To Counter Cyber Attacks
Insights From An Early Adopter Of Microsoft 365 Copilot »

CyberSecurity Jobsite
Perimeter 81

Directory of Suppliers

TÜV SÜD Academy UK

TÜV SÜD Academy UK

TÜV SÜD offers expert-led cybersecurity training to help organisations safeguard their operations and data.

MIRACL

MIRACL

MIRACL provides the world’s only single step Multi-Factor Authentication (MFA) which can replace passwords on 100% of mobiles, desktops or even Smart TVs.

BackupVault

BackupVault

BackupVault is a leading provider of automatic cloud backup and critical data protection against ransomware, insider attacks and hackers for businesses and organisations worldwide.

Resecurity

Resecurity

Resecurity is a cybersecurity company that delivers a unified platform for endpoint protection, risk management, and cyber threat intelligence.

The PC Support Group

The PC Support Group

A partnership with The PC Support Group delivers improved productivity, reduced costs and protects your business through exceptional IT, telecoms and cybersecurity services.

Morgan Lewis Law

Morgan Lewis Law

Morgan Lewis is an international law firm with offices in North America, Europe, Asia, and the Middle East. Practice areas include Privacy and Cybersecurity.

Swivel Secure

Swivel Secure

Swivel Secure is an award winning provider of multi-factor authentication solutions.

CounterCraft

CounterCraft

The CounterCraft Cyber Deception Platform fits seamlessly into existing security strategies and delivers high-end deception for threat hunting and threat detection.

Cyber Defense Agency (CDA)

Cyber Defense Agency (CDA)

Cyber Defense Agency is a premier professional services firm specializing in cyber security, computer network defense, and information security.

NITA Uganda (NITA-U)

NITA Uganda (NITA-U)

NITA-U has put in place the Information security framework to provide Uganda with the necessary process, policies, standards and guideline to help in Information Assurance.

SQN Banking Systems

SQN Banking Systems

SQN Banking Systems fraud detection software products are a critical step towards overcoming the growing problem of fraud across the various payment channels.

Concentric

Concentric

Concentric Data Risk Monitoring and Protection. Deep Learning to discover, monitor and remediate risks to sensitive data on-premises and in the cloud.

Ridge Global

Ridge Global

Ridge Global works with C-suite executives and corporate directors to build more resilient organizations through innovative preparedness, protection, response and education capabilities.

SpecterOps

SpecterOps

SpecterOps has unique insight into the cyber adversary mindset and brings the highest caliber, most experienced resources to assess your organizations defenses.

Performance Technologies

Performance Technologies

As a leading IT Solutions Provider in Greece, Performance Technologies delivers reliable, long life solutions, ensuring continuous availability of business-critical services and information.

SeeMetrics

SeeMetrics

SeeMetrics is an automated cybersecurity performance management platform that integrates security data and business objectives into a simple interface.

AgilePQ

AgilePQ

AgilePQ visibly secures IoT devices worldwide to protect the privacy, safety, and well-being of all people.

QEDIT

QEDIT

QEDIT is leading the standardization of Zero-Knowledge Proofs through the ZKProof.org Workshops, and builds production-grade ZKP systems for blockchain.

Queen Consulting & Technologies

Queen Consulting & Technologies

Queen Consulting & Technologies specialize in providing IT support, management, and Security to Gov’t Contractors, CPAs, and Nonprofits.

Guardian Angel Cyber

Guardian Angel Cyber

Guardian Angel Cyber, is your trusted ally in safeguarding your digital assets and online presence.

Hurricane Labs

Hurricane Labs

Hurricane Labs is a managed security services provider (MSSP) that focuses on Splunk.