Are You Still Wondering About Dependency Confusion Attacks?

Recently, the Biden White House released an Executive Order detailing new requirements to address cybersecurity and secure software development, as it relates to national security. This order addresses a variety of issues on detection, reporting, remediation, and standards, including the increasing attacks on software supply chains.  However, one recent and worrying trend is an attack that the provisions in the executive order may not be able to stop: Dependency Confusion.

To help illustrate this problem for both the software industry and the broader open source community, we’re revisiting a talk about Dependency Confusion with Sonatype’s CTO Brian Fox, Field CTO Ilkka Turunen and security researcher Ax Sharma. In it, they discuss the progression of a recent, especially effective supply chain attack on the JavaScript-focused npm repository, as well as how to prevent future attacks.

What Happened with npm?

In early February of 2021, a vulnerability was revealed in the npm repository, infiltrating major technology companies, including Microsoft, Tesla, and Netflix. Although 35 companies were named, the issue affected many more, with companies scrambling to address the issue and hundreds of similar copycat efforts appearing on the npm repository.

A Legitimate Disguise

In the months before the announcement, Sonatype detected suspicious packages posted by researcher Alex Birsan. The packages were proactively marked as potentially malicious by Sonatype software as a concern and flagged for review. When contacted, Alex responded that affected groups were taking action ahead of a full disclosure.

Once revealed, Brisan’s work exposed a weakness in open source repositories where company internal package names were discovered or speculated. Then, it was a simple matter of creating those same-name packages in an external repository. Once posted, company systems automatically elected for the external software sources – the ones posted by Alex.

“It’s a simple method: essentially just pretending to (Read more...)

*** This is a Security Bloggers Network syndicated blog from Sonatype Blog authored by Luke Mcbride. Read the original post at: