What are Malicious Packages? How Do They Work?

Software developers build approximately 80% of software applications using open-source code, which opens up a world of opportunity for today’s threat actors.

Code package repositories such as npm and RubyGems allow anyone to store or publish packages, and unfortunately, that can include packages containing malware. These are known as malicious packages — the malware of the software supply chain.?

As the name implies, a malicious package is software that is created with malicious intent. What makes them particularly concerning is that they are remarkably easy to create. Useful for any number of malicious intentions, these packages are hard to avoid and to detect, unless you know what to look for.

A Fast-Growing Threat

Malicious packages aren’t new, but they’re proliferating at an alarming pace. In our “Malicious Packages Special Report,” Mend identified a 315% increase in malicious packages published to npm and RubyGems alone from 2021 to 2022, and expects that trend to continue.

Malicious packages use similar techniques to trick people into downloading them, where they wreak havoc inside users’ systems. Because malicious packages are something that generally come from places you think you trust, they are abnormally effective.

Anatomy of a Malicious Package Attack

Malicious packages are used to steal credentials, exfiltrate data, turn applications into botnets, or erase data. But first, attackers need to trick someone or something into downloading the package.

Malicious packages can deliver maximum bang for the bad guy’s buck. It can be as simple as hiding a malware payload in open source code and tricking a careless developer into using it, or elevating bugs in package manager systems and then benefitting from the opportunities afforded by the scale of a corrupted software supply chain. And make no mistake: Like any malware, malicious packages can inflict significant damage. They can steal credentials, exfiltrate data, turn you into a botnet, or erase your data.

This, of course, explains their growing popularity. Threat actors never ignore a good opportunity, particularly when it comes to attacking their favorite target: applications. Unfortunately, most companies are only now beginning to explore technology that can defend against malicious packages, and for many, the barn door has been open a little too long. Mend’s 360 degree malicious package protection has already discovered evidence of threat actor success — thousands of malicious packages hiding in existing code bases.?

Organizational impact: Malicious packages are more dangerous than vulnerabilities

Once a developer downloads a malicious package, how much damage it does will depend on several key factors:

1. Intent – When threat actors infiltrate using a malicious package, their intent substantially determines the impact. A threat actor trying to inform people about a war or protest action with annoying messages has a lower overall impact than one trying to steal information or turn developers’ machines into cryptocurrency miners.

2. Organization type – Attacks designed to exfiltrate personal information will have a larger, potentially long-term impact on companies trusted with sensitive data. Ransomware attacks that disable systems can have an outsize impact in organizations like hospitals, where lives depend on uptime.

3. Duration – When malicious packages are discovered quickly and removed completely, the damage they cause can be limited. The greatest damage can be caused by packages that remain undetected for months or years while quietly delivering their payload.

4. Spread – Some of the most dangerous malicious packages are designed to provide initial access to a network, at which point the threat actor can move laterally through systems to steal passwords or protected information in order to gain even more access.

Unlike vulnerabilities — which can and do often exist for months or years in application code without being exploited — a malicious package represents an immediate threat to your organization.

Think of it like this: If your applications and organization are a house, then attackers are like burglars. A vulnerability is your proverbial unlocked window: It could let a burglar in some day, but that’s only a possibility. On the other hand, a malicious package is like accepting a FedEx box that already has the burglar inside.

Keep reading ?? https://go.mend.io/42I2Mxt