The year 2021 had witnessed a massive growth in software supply chain attacks. According to a study by Argon Security, the attacks increased by more than 300% in 2021 compared to 2020. Some of the prominent attacks involved the exploitation of Log4J and the VSA tool.

Besides these, there was also an uptick in the malicious use of open-source software repositories that enabled threat actors to infiltrate a software vendor’s network and employ malicious code to launch further attacks. This trend continues to be a serious threat as Sonatype revealed an upsurge in malicious packages infiltrating multiple open source repositories since February.

Open-source repositories under attack

  • Towards the beginning of March, researchers from Sonatype identified hundreds of counterfeit packages in npm and PyPI repositories that were used to execute Remote Access Trojans (RATs).
  • Over 130 typosquatting packages named after popular brands, websites, and projects were inserted into the npm repository to exfiltrate basic information such as username, hostname, IP addresses, and OS info.
  • Besides this, there were eight malicious PyPI packages that leveraged dependency confusion attacks to target Azure developers and environments.

More attacks discovered 

  • In another incident, a group of more than 200 malicious npm packages was found targeting Microsoft Azure developers to steal their Personally Identifiable Information (PII).
  • The attack was targeted against the entire @azure npm scope. In order to stay under the radar, the attackers had created accounts by employing an automatic script - which was also used to upload malicious packages. 
  • Recently, Chechmarx also raised an alarm about fully automated npm supply chain attacks that delivered hundreds of malicious packages into the npm systems.
  • This was a work of a threat actor named RED-LILI. The attacker had fully automated the process of npm account creation to launch difficult-to-detect dependency confusion attacks.
  • Checkmarx believes that the threat actor is still alive and continues to publish malicious packages. 

Conclusion

It is a stark reality that open-source software is becoming a ripe target for software supply chain attacks. Therefore, organizations should bolster the security of their software development process to thwart such sophisticated attacks. Additionally, it is very important that developers using open-source software must only download codes from official upstream repositories to prevent attacks due to hostile source codes.

Cyware Publisher

Publisher

Cyware