The Unseen Risks of Open Source Dependencies: The Case of an Abandoned Name
One often-overlooked risk in the bustling ecosystem of open-source software are vulnerabilities introduced through software dependencies. We mention this because today, a malicious actor took over a RubyGems package name with more than two million downloads. Mend.io technology detected the package before it could be used for an attack, but the case of ‘gemnasium-gitlab-service‘ serves as an important reminder of the risk of neglecting dependency management.?
For context, a gem in the Ruby world is essentially a library or a package of code that developers can incorporate into their projects. They serve as building blocks for applications, each providing a unique piece of functionality.
‘gemnasium-gitlab-service‘ was one such gem, originally developed by Gemnasium and taken over and maintained by GitLab when they acquired Gemnasium. However, GitLab decided to retire this gem a while ago and move away from its usage in the GitLab software.?
Normally, such a decision would not cause any significant issues. Developers relying on the gem would either stick with the last available version or migrate to an alternative over time.
However, in the case of the ‘gemnasium-gitlab-service‘, our research team discovered an unidentified entity scanning registries and code sources for references to packages that had names available for takeover in various registries.
The threat actor noticed that this gem had been removed and took the opportunity to take over the gem’s name. This person or group then published a new gem under the ‘gemnasium-gitlab-service‘ title.
领英推荐
The Risk
Existing projects that haven’t updated their dependencies might unwittingly pull in this new version, assuming it’s a continuation of the original. Given that the new gem is now controlled by an unknown entity, it could be altered to include malicious code or to perform undesirable actions.
Our investigation has further revealed that this is not an isolated incident. By correlating data with the npm registry (Node.js’s equivalent of the RubyGems system), we found other packages containing malicious code that were published by the same owner more than six months ago. One such package was the npm module tomcrypt, which was published in September 2022 and contained malicious code that exfiltrates sensitive user information.
The implications of this finding are far-reaching. It suggests a systematic approach to find retired or unused open-source package names, take them over, and potentially exploit them. This highlights the risks associated with open-source dependencies, and the importance of good practices around dependency management.
Continue reading ?? https://go.mend.io/45C4gvH