Recently, the Biden White House released an Executive Order detailing new requirements to address cybersecurity and secure software development, as it relates to national security. This order addresses a variety of issues on detection, reporting, remediation, and standards, including the increasing attacks on software supply chains. However, one recent and worrying trend is an attack that the provisions in the executive order may not be able to stop: Dependency Confusion.
What Happened with npm?
In early February of 2021, a vulnerability was revealed in the npm repository, infiltrating major technology companies, including Microsoft, Tesla, and Netflix. Although 35 companies were named, the issue affected many more, with companies scrambling to address the issue and hundreds of similar copycat efforts appearing on the npm repository.
A Legitimate Disguise
In the months before the announcement, Sonatype detected suspicious packages posted by researcher Alex Birsan. The packages were proactively marked as potentially malicious by Sonatype software as a concern and flagged for review. When contacted, Alex responded that affected groups were taking action ahead of a full disclosure.
Once revealed, Brisan’s work exposed a weakness in open source repositories where company internal package names were discovered or speculated. Then, it was a simple matter of creating those same-name packages in an external repository. Once posted, company systems automatically elected for the external software sources – the ones posted by Alex.
“It’s a simple method: essentially just pretending to (Read more...)
*** This is a Security Bloggers Network syndicated blog from Sonatype Blog authored by Luke Mcbride. Read the original post at: https://blog.sonatype.com/are-you-still-wondering-about-dependency-confusion-attacks