Identifying OSS Security Risks To Safeguard Software Supply Chains

Software development has seen something of a revolution over the past decade, with the leading force behind this being the rise of open source. Alongside the rise of open source software (OSS) itself, a dedicated community has formed leading to the creation of repositories where software packages can be held, shared and utilised. Of these, the npm stands out as one of the world's largest software development tools and repositories dedicated to housing JavaScript packages.

Despite the obvious advantages of open source, it’s not immune from misuse, with bad actors utilising repositories to disseminate compromised software and threaten the security of the overall software supply chain.

A recent npm registry violation has shown just how quickly these threats can arise, highlighting the urgent need for organisations to strengthen their risk management strategies.

Misuse of Open Source Repositories

The npm registry plays a crucial role for developers, allowing them to publish and access software components effortlessly. Sonatype recently discovered a significant surge in multimedia packages flooding the npm registry from a user named 'wlwz.' While multimedia assets are often a legitimate part of software applications, this particular asset dump was noteworthy because of its volume (748 packages were uploaded) and content – each package contained partial video clips, which appear to be extracted movies from pirated Blu-Rays and DVDs. 

Though pirated content may seem to be a relatively minor violation, even minor misuse of OSS carries significant dangers as it clouds the clarity of these repositories, and goes directly against their intended purpose, which is to host software projects. Operating in a muddied environment makes it easier for malicious actors to disguise harmful components, making it difficult for developers to distinguish between legitimate software and potentially malicious components. Developers may unknowingly integrate these components into their projects as a result, posing a serious risk to the integrity and security of the software.

The Content Verification Challenge

Over the last two to three years, there have been hundreds of reports about OSS registries being infiltrated by crypto-miners, spam packages, and dependency confusion attacks. Alongside unintentionally disseminating malware, registries can have OSS components that are vulnerable to zero-day attacks, like Log4Shell. These incidents reflect a concerning trend in the evolution of user tactics, with attackers demonstrating greater complexity and sophistication in their methods. Unchecked, attacks like these threaten the integrity of entire repositories which, due to their widespread use, threatens the entire software supply chain.

The SolarWinds Orion Platform hack is an example of how widespread and devastating these attacks can be. Malicious code can undermine software hygiene, leading to data breaches, interconnected system intrusions, and system compromises. The infiltrations extend the risk to customers, partners, and stakeholders, resulting in reputational damage and financial losses.

With such high stakes, one of the key challenges developers face is distinguishing between legitimate and malicious packages on OSS repositories. While some multimedia assets may not be dangerous, others could conceal harmful payloads like trojan malware and other malicious programs.

Robust security measures and continuous monitoring are crucial to detect and mitigate such threats effectively, safeguarding the software supply chain's resilience against future breaches.

Importance Of Security

Bad actors don’t just rely on highly choreographed and sophisticated attacks, sometimes their tactics are relatively benign. Some of these are insidiously simple but nonetheless effective. These tactics include account takeovers, brand jacking, and typosquatting – where attackers upload corrupted packages with names similar to popular ones already in use.

Distinguishing between legitimate and malicious code on OSS registries presents a significant challenge. The sheer scale of this issue and the variety of tactics unfortunately means that human intelligence alone cannot adequately monitor every package and identify the corrupted ones. Multiply this by the number of dependencies on any given software package and the true scope of the problem comes to light. Therefore, it's vital to stress the importance of implementing effective DevSecOps solutions with automation to help uphold platform integrity.

Misuse of open source registries poses risks that escalate through the development lifecycle. Hosting illicit content undermines trust and security, as it can potentially impact interconnected systems. Considering that vulnerabilities can have far-reaching consequences and threaten the resilience and trustworthiness of the entire software supply chain, protecting these platforms is critical.

Safeguarding The Software Supply Chain

Safeguarding the software supply chain is a shared responsibility for developers, administrators, and organisations. Enforcing strict security protocols and upholding platform terms of service are crucial steps in discouraging non-software content hosting and maintaining platform integrity. Developers must adhere to industry best practices and refrain from uploading irrelevant content to ensure the reliability of software components.

By raising awareness about misuse and implementing these preventive measures, the open source community can effectively mitigate the risks posed by repository misuse and maintain the integrity of the software supply chain. Partnerships and vigilance will ensure that open source remains a trusted and valuable resource for developers worldwide in their new project builds. 

Ax Sharma is a Security Researcher at Sonatype 

Image: Ideogram

You Might Also Read: 

Cyber Criminals Exploit Legitimate Software:

___________________________________________________________________________________________

If you like this website and use the comprehensive 6,500-plus service supplier Directory, you can get unrestricted access, including the exclusive in-depth Directors Report series, by signing up for a Premium Subscription.

  • Individual £5 per month or £50 per year. Sign Up
  • Multi-User, Corporate & Library Accounts Available on Request

Cyber Security Intelligence: Captured Organised & Accessible


 

« Surge in “Hunter-Killer” Malware

« British Navy Combines With The Japanese Military To Counter Cyber Attacks
Insights From An Early Adopter Of Microsoft 365 Copilot »

CyberSecurity Jobsite
Check Point

Directory of Suppliers

MIRACL

MIRACL

MIRACL provides the world’s only single step Multi-Factor Authentication (MFA) which can replace passwords on 100% of mobiles, desktops or even Smart TVs.

Practice Labs

Practice Labs

Practice Labs is an IT competency hub, where live-lab environments give access to real equipment for hands-on practice of essential cybersecurity skills.

ZenGRC

ZenGRC

ZenGRC (formerly Reciprocity) is a leader in the GRC SaaS landscape, offering robust and intuitive products designed to make compliance straightforward and efficient.

TÜV SÜD Academy UK

TÜV SÜD Academy UK

TÜV SÜD offers expert-led cybersecurity training to help organisations safeguard their operations and data.

North Infosec Testing (North IT)

North Infosec Testing (North IT)

North IT (North Infosec Testing) are an award-winning provider of web, software, and application penetration testing.

IS Decisions

IS Decisions

IS Decisions builds affordable and easy-to-use Access Management software solutions, allowing IT teams to effectively secure access to Active Directory infrastructures, SaaS apps and data within.

Guardian360

Guardian360

The Guardian360 platform offers unrivalled insight into the security of your applications and IT infrastructure.

Tigerscheme

Tigerscheme

Tigerscheme is a certification scheme for information security specialists, backed by University standards and covering a wide range of expertise.

Smokescreen

Smokescreen

Smokescreen's IllusionBLACK employs deception technology to detect, deflect and defeat advanced hacker attacks.

La Fosse Associates

La Fosse Associates

The InfoSec Recruitment team at La Fosse Associates specialises in placing Information Security & Risk professionals on a permanent and contract basis.

Sixgill

Sixgill

Sixgill, an IoT sensor platform company, builds the universal data service and smart process automation software allowing any organization to effectively govern its IoE assets.

Ergo

Ergo

Ergo is a world-class IT Partner of choice, leveraging the latest technology available in cloud, mobility, big data, analytics, and social media.

Future Technology Systems Company (FutureTEC)

Future Technology Systems Company (FutureTEC)

FutureTEC is a leading Information Technology Solutions Provider, delivering world-class Information Security, Information Management, and Business Solutions.

Rede Nacional CSIRT

Rede Nacional CSIRT

Rede Nacional CSIRT is a national network of CSIRTs in Portugal aimed at cooperation and mutual assistance in the handling of incidents and in the sharing of good security practices.

BlackFog

BlackFog

BlackFog is a leader in device data privacy, data security and ransomware prevention. Our behavioral analysis and anti data exfiltration technology stops hackers before they even get started.

Aspire Technology Solutions

Aspire Technology Solutions

Aspire is an award-winning IT Managed Service and Cyber Security Provider. We specialise in cyber security, cloud, connectivity, managed services, unified communications and IT support.

Spirit Technology Solutions

Spirit Technology Solutions

Spirit Technology Solutions is a modern workplace services provider committed to delivering solutions that embody our core principles of security, sustainability, and scalability.

Baselime

Baselime

Baselime, the cloud-native observability platform. Resolve issues in your cloud application before they become problems.

Jitterbit

Jitterbit

Jitterbit integrates critical business processes and enables application development to deliver the experiences and insights needed by enterprises of all sizes to accelerate their digital journey.

Scalefusion

Scalefusion

Scalefusion provides a comprehensive suite of products engineered to simplify endpoint, user, and access management for IT teams.

Intelligent Protection Management (IPM)

Intelligent Protection Management (IPM)

At IPM, we deliver custom technology solutions that empower businesses to thrive. With over 20 years experience, we help companies of all sizes tackle IT, Security, and Cloud.