Expired domain leaves npm module with 3.5m downloads vulnerable
ReversingLabs
ReversingLabs is the trusted name in file and software security. RL - Trust Delivered.
Welcome to the latest edition of?Chainmail: Software Supply Chain Security News, curated by the team at?ReversingLabs . This week: a report by the firm Illustria reveals that a popular npm open source module with 3.5m weekly downloads was vulnerable to being hijacked.
This Week’s Top Story
Security researchers at the firm Illustria wrote about their discovery of a shocking security lapse that left a popular npm module with more than 3.5 million weekly downloads vulnerable to hijacking. In a blog post, Bogdan Kortnov , the CTO at Illustria, wrote that researchers at his company discovered the flaw in the npm module, which he declined to name, during a customer onboarding exercise. The module in question was listed in one of a number of manifest files Illustria reviewed for supply chain risks. Upon further investigation, Illustria researchers realized that a domain associated with one of the popular module's maintainers had expired and was for sale. That allowed the researchers to acquire the domain and then use their control over it to "recover" the maintainer's email account.
With that, the researchers were able to reset a password on a GitHub account associated with the package and recover a CI/CD automation token from the project’s pipeline. That token subsequently allowed the researchers to bypass two factor authentication used to secure the maintainer account and effectively take control of the project. After their discovery, the Illustria researchers contacted the original maintainer and helped them to recover the expired domain.
The incident underscores the tenuous security surrounding even popular and widely used open source modules, which are often created and maintained by individuals or small groups of unpaid volunteers. In late 2021, for example, an npm package, UA-Parser-JS, with millions of weekly downloads was hijacked and used to distribute cryptomining and password-exfiltrating?malware.
Experts say that more oversight and investment in open source software is needed to avoid a so-called "tragedy of the commons ," in which a failure by a community of users to invest in- and care for shared goods results in the eventual decay of those goods.
News Roundup
Here are the stories we’re paying attention to…
The security firm Phylum warned recently about the discovery of more than 400 packages on the Python Package Index (PyPI) repository with malicious payloads. As Dan Goodin at Ars Technica notes in a recent article on the incident, the attack relied on well known attack techniques, such as typosquatting on the names of popular PyPI modules. But it also revealed a new approach to obfuscation, with the new malicious packages creating function and variable identifiers in what appear to be random 16-bit combinations of Chinese language ideographs to disguise the malicious behavior. (Ars Technica)
领英推荐
In a speech at CloudNativeSecurityCon in Seattle, Priyanka Sharma , the?Cloud Native Computing Foundation ?(CNCF) Executive Director, told attendees that, even as the "shift left" characterized by the embrace of DEVOPS and CI/CD methodologies and tools has turbo-charged development, it has also led to “more exposed edges and nodes with attack surfaces and ultimately less control.” The fix? Organizations need to focus on training and education to break down "silos." Also, practitioners and developers should take a cue from the open source software ecosystem and "share their?development and deployment?expertise," she said. "When we work together, we cover far more ground than any single organization.” (The New Stack)
The Log4j vulnerability and SolarWinds supply chain attacks alerted us that software supply chains are at great risk of being targeted by attackers. In response, Docker has introduced a Software Bill of Materials (SBOM) format for container images. It has announced the?docker sbom CLI?command in Docker Desktop 4.7.0 as a CLI plugin, which lists all the components of the container image. It is an experimental functionality for now, which has been developed as an open source collaboration with Anchore through the Syft tool. (Opensourceforu.com)
On the sidelines of the recent?State of Open Con 23 ?conference in London, UK,?Camille Stewart Gloster, Deputy National Cyber Director at the U.S. Office of the National Cybersecurity Director (ONCD) told InfoSecurity that she is looking to build a diverse team that can tackle the complex supply chain security risk, including the potential for governments exploit open source vulnerabilities to spy on citizens. Stewart Gloster said that the federal government is not rushing to make interventions in the open source space, but is carefully analyzing the issues and understanding where intervention is necessary. “Our first order of business is to understand the challenges and opportunities and what our role in that is,” explained Stewart Gloster. (InfoSecurity)
Resource Roundup
On Wednesday, February 22nd, join Matt Rose from ReversingLabs and Chris Wilder, Research Director at TAG Cyber, as they dig into the details of the recent CircleCI hack, talk about lessons learned from the attack and discuss what organizations of all sizes can do to address of secrets across the SDLC.
The leading market analyst firm Forrester released its 2023 Software Composition Analysis, recognizing ReversingLabs among notable vendors in the SCA space. Download a complimentary copy of Forrester’s SCA report and learn why ReversingLabs is listed among 23 notable vendors.
Honored to be mentioned here ReversingLabs Stay tuned for more ??