Sample Reports for Software Supply Chain Security

EXPLORE OUR INTERACTIVE REPORTS, WHICH HELP YOU HALT ATTACKS AND IMPROVE SECURITY QUALITY
Sample Software Supply Chain Security Reports

Software supply chain attacks

npm

SLSA.E

Malicious open source package - Planting

Typosquatting attacks prey on developers that mistype a package name during installation. While these attacks typically target developers, or the development environment, this series of malicious NPM packages abuses software supply chains to collect data from the unsuspecting software users. IconBurst represents a significant escalation of attacker tactics to further undermine software supply chain security. It is the first software supply chain attack in the open source package ecosystem that only triggers its payload when included in the software release.

Our software analysis report discloses these critical issues:

  • Malicious package components detected
  • Behaviors that describe the presence of obfuscated code
  • Behaviors that point to data obfuscation with Base16 encoding
secure.software analysis report Read our blog: IconBurst NPM software supply chain attack grabs data from apps and websites
Bash

SLSA.F

Software distribution compromise

Sensitive information leaks, such as tokens and credentials, can expose parts of software development and distribution architecture to attackers. Unsigned software releases can be tampered with, or modified, to include backdoors or other malicious code. This is what happened to CodeCov when one of the leaked credentials was abused to gain access to the software distribution platform. Any user that executed the malicious bash script had their sensitive information leaked to the attackers as well.

Our software analysis report discloses these critical issues:

  • Malicious package components detected
  • Networking pointing to developer credentials exfiltration location
  • Behaviors that describe the environment info collection
secure.software analysis report Read our blog on the CodeCov compromise
npm

SLSA.E

Malicious open source package - Account compromise

Maintainer account compromises can quickly escalate to impact the wider developer community. Even if the account gets quickly restored, the automated CI/CD systems may become compromised during the exposure window. This is what happened when the popular ua-parser-js NPM holder account was compromised, and the updated versions started serving malware.

Our software analysis report discloses these critical issues:

  • Malicious package components detected
  • Networking pointing to second stage malicious components
  • Behaviors that describe the malware download process
secure.software analysis report
npm

SLSA.E

Malicious open source package - Planting

Typosquatting attacks prey on developers that mistype a package name during installation. Developers are the primary target of such attacks, as their credentials can be misused to pivot through the organization. This is a common pattern found in most open source package repositories. Depending on their sophistication, the attackers might even leverage off-the-shelf password recovery tools to collect credentials.

Our software analysis report discloses these critical issues:

  • Malicious package components detected
  • Networking pointing to developer credentials exfiltration location
  • Behaviors that describe the password collection targets
secure.software analysis report - #1 Read our blog: Groundhog day: NPM package caught stealing browser passwords secure.software analysis report - #2 Read our blog: The NPM package that walked away with all your passwords
Ruby Gems

SLSA.E

Malicious open source package - Planting

Typosquatting attacks prey on developers that mistype a package name during installation. Once installed, the packages autoexecute their code, providing the opportunity for malware to achieve persistence. A malicious RubyGems package called atlas-client abused this to continuously monitor clipboard contents for digital currency wallet addresses. When one is detected, malware replaces it with its own, hoping that the unsuspecting victim would transfer funds to the attacker-controlled accounts.

Our software analysis report discloses these critical issues:

  • Malicious package components detected
  • SBOM lists an executable component with a multimedia extension
  • Software quality analysis detects multiple vulnerability mitigation issues
secure.software analysis report Read our blog: Mining for malicious RubyGems
Python

SLSA.E

Malicious open source package - Planting

Typosquatting attacks prey on developers that mistype a package name during installation. During package installation, its dedicated functions are called to deploy it within the development environment. A malicious PyPi package called libpeshnx abused this to run its payload whenever an interactive non-login shell is created. In this case, the attacker has the ability to change the malicious payload at any time, since it is periodically downloaded from the remote server.

Our software analysis report discloses these critical issues:

  • Malicious package components detected
  • Networking pointing to second stage malicious components
  • Behaviors that describe .bashrc file manipulation
secure.software analysis report Read our blog: Beware of imposter libraries on PyPI

Software quality issues

Python

CWE-200

Sensitive information data leaks

Accidental inclusion of sensitive information, such as credentials or certificates, is quickly becoming the dominant way build environments get compromised. Safe secrets management is a challenge all developers face. Because secrets are used in so many ways during development, it is easy to accidentally include them in the release package or a container. Once the secrets are out in the open, the attackers can easily misuse them to gain access, plant backdoors, and pivot from build environment to production.

Our software analysis report discloses these critical issues:

  • Sensitive information policy violations include plain and encrypted SSH keys
  • Testing folders for certificates can be excluded via configuration
  • Failing conditions can be enforced for unexpected secrets
secure.software analysis report Read our blog: PyPI packages containing sensitive information Read our blog: Introducing new secrets capabilities
Windows

CWE-345

Tampering with digitally signed content

Digital signatures are applied to applications, packages and documents as a cryptographically secured authenticity record. Signatures verify the origin and the integrity of the object they are applied to. Any mismatch between the expected and the computed object hashes is reported as an integrity validation failure. This can be caused by data corruption, or developers changing content post-signing, or by an attacker tampering with the package. While finding the root cause is an incident response exercise, tracking the issue remediation is easily automated with our differential reports. This example report shows a Microsoft package that had a tampered signature issue resolved in a subsequent software version.

Our software analysis report discloses this critical issue:

  • Differential analysis confirms that the software tampering issue was resolved
secure.software analysis report Read our blog: Trouble with software integrity validation
Java

CWE-502

Critical remote code execution vulnerability

Most modern software is built on the shoulders of open source components. Managing critical vulnerabilities introduced to the code base by those third-party packages has become a daily chore for developers. When a critical remote code execution vulnerability hits the news, the questions of impact and exposure drive urgency and cause development teams to scramble. This is exactly what happened when a CVSS 10.0 vulnerability was found in a commonly used Java logging library - log4j.

Our software analysis report discloses these critical issues:

  • SBOM includes the accurate list of embedded and referenced libraries
  • Vulnerable log4j version suggests the upgrade path for issue remediation
  • Log4Shell is a name for the CVE-2021-44228 vulnerability:

    • Exploit for the vulnerability is known to exist
    • Vulnerability is actively abused by malware
    • There’s a CISA mandate to patch
secure.software analysis report Read our blog: Log4j is why you need an SBOM
NuGet

CWE-119

Exploited vulnerability in statically linked code

When building software components, a developer has many options for interacting with third-party code. Static linking is one of the most prolific ways for vulnerabilities to get unexpectedly included in a large code base. The deeper your dependency tree goes, the more likely it is that a part of it will link to an outdated dependency that’s statically linked. It is also very common to find multiple versions of the same dependency statically linked across components within a software package. This dependency version bifurcation exposes the application to unmanaged security risks. In the following example report, a NuGet package includes multiple statically linked versions of OpenSSL and ZLIB libraries. Both of them contain critical vulnerabilities.

Our software analysis report discloses these critical issues:

  • SBOM includes the accurate list of components
  • Dependency view can be used to find components that link vulnerable code
  • Dependency view can be used to identify library bifurcation issues
secure.software analysis report Read our blog: Third-party code comes with some baggage