Malicious actors use the npm registry as a starting point for open source software (OSS) supply chain attacks.
Open source software offers enormous potential for criminals and nation states to launch widespread supply chain attacks. The OSS registers provide an important easily accessible power ground.
Diffend was acquired by WhiteSource in April 2021. Its creator, Maciej Mensfeld joined WhiteSource as Senior Product Manager.
In its NPM Threat Report (PDF), WhiteSource explains that through 2021, it tracked over 32,000 packages uploaded to npm each month. There’s even more activity in new package releases, averaging over 17,000 daily posts throughout 2021.
“Unfortunately,” comments Rami Sass, co-founder and CEO of WhiteSource, “this popularity is being used by threat actors to spread malware and launch attacks that harm businesses and individuals.”
These permissions apply to both packages with unintended vulnerabilities and packages containing malicious code inserted by attackers.
WhiteSource Diffend currently detects around 10 malicious packets every day. Most of them are engaged in reconnaissance, actively or passively gathering information that can support future targeting. Fourteen percent, however, are designed to steal sensitive data such as credentials.
“As far as I know,” Mensfeld said safety week, “at least until the end of 2021, there were no automatic tools on npm that would prevent anyone from downloading anything to the registry. So if you wanted to download a package that would remove, when downloading, all the data on the user’s computer, you could easily do it.There are no pre-checks on the package.
WhiteSource reports its findings to npm, which removes malicious packages from the registry. However, if a new malicious package is detected and reported on a Friday, it is unlikely to be removed until the following Monday – and during that time it could potentially be downloaded thousands or even millions of times by software managers. automated register. Apparently, WhiteSource reports that Friday is a popular day for uploading new malicious packages to the registry.
A classic example of an OSS supply chain attack was revealed in late October 2021. The attackers inserted malicious code into three versions of ua-parser-js after apparently taking control of the developer’s npm account. “ua-parser-js is used to parse user agent strings to identify a user’s browser, operating system (OS), device, and other attributes,” WhiteSource explains. “Three new versions of this package have been released with the intention of getting users to download them.”
The package’s author responded quickly with new, clean builds, but the malicious code remained in the registry for another three hours. Ua-parser-js was downloaded around 8 million times a week at the time.
“Any computer with this package installed or running should be considered fully compromised,” GitHub warned. “A computer or device with the affected software installed or running could allow a remote attacker to obtain sensitive information or gain control of the system,” CISA advised.
WhiteSource warns that malicious actors are actively looking for the most effective ways to use npm for attacks. Since a malicious package is unlikely to remain in the registry undetected for more than a week, inactive code can be uploaded to a new or dropped package to see if it will be detected and for how long it will take – a concept similar to malware writers testing their new malware releases on VirusTotal.
WhiteSource warns that developers using npm (or any other OSS registry) should not blindly trust the system, should update only when they are sure of the contents, should track changes, should run continuous integration ( CI) in isolated steps, must create a security flow that matches the profile of the organization and must support the entire SDLC.
WhiteSource, headquartered in Boston, USA, was founded in 2011 by Azi Cohen (GM), Rami Sass (CEO) and Ron Rymon (Executive Chairman). It raised $75 million in a Series D funding round in April 2021.
Related: Cyber Insights 2022: Supply Chain
Related: ‘Critical severity’ warning: Malware has been detected in widely deployed npm packages
Related: GitHub confirms another major NPM security flaw
Related: Vulnerability in ‘netmask’ npm package affects 280,000 projects