diff --git a/_posts/2025-06-07-package-managers.md b/_posts/2025-06-07-package-managers.md index a351a05..14335c1 100644 --- a/_posts/2025-06-07-package-managers.md +++ b/_posts/2025-06-07-package-managers.md @@ -1,6 +1,6 @@ --- layout: post -title: Package Managers - How To Install Malware On Your Systems +title: Package managers - malware delivery as a service date: 2025-04-02 --- @@ -56,9 +56,9 @@ run installation lifecycle scripts, which run under user permissons. Many attack rely on this, and simply run arbitrary code on the user's machine when they install a given package. Unfortunately because privilege escalation attacks are often fairly simple to do, the risk is exacerbated. The other common way that -packages can compromise a target if by modifiying the flow of regularly invoked +packages can compromise a target is by modifiying the flow of regularly invoked functions to perform additional actions or entirely change the expected -behavior of software. Typing "npm malware" or "pypi suppl chain attack" will +behavior of software. Typing "npm malware" or "pypi supply chain attack" will yield seemingly endless results but here are some "fun" highlights just from this year so far: @@ -78,9 +78,10 @@ actors. In fact, in some cases attackers will purchase a library or use an expired domain to take over a library that is already widely used, to attack its unexpecting users, as was the case in the [attack via the `event-stream` package](https://web.archive.org/web/20250418194828/https://www.techtarget.com/searchsecurity/news/252453398/Compromised-NPM-package-highlights-open-source-trouble) in 2018, but many similar attacks have occured -since ([ref 1](https://web.archive.org/web/20250418194828/https://www.techtarget.com/searchsecurity/news/252453398/Compromised-NPM-package-highlights-open-source-trouble). Our co-founder and security engineer Lance -Vick performed an attack to illustrate how easy it can be to compromise a library -by [purchasing a domain which allowed him to control the `foreach` npm package](https://web.archive.org/web/20250418194828/https://www.techtarget.com/searchsecurity/news/252453398/Compromised-NPM-package-highlights-open-source-trouble). +since ([ref 1](https://web.archive.org/web/20250418194828/https://www.techtarget.com/searchsecurity/news/252453398/Compromised-NPM-package-highlights-open-source-trouble)). Our co-founder and security engineer Lance +Vick showed that an attack could be performed to illustrate how easy it can be +to compromise a library by [purchasing a domain which could allow control the +`foreach` npm package](https://web.archive.org/web/20250418194828/https://www.techtarget.com/searchsecurity/news/252453398/Compromised-NPM-package-highlights-open-source-trouble). ## Review All The Code... @@ -94,8 +95,9 @@ own and in every supply-chain dependency. Only once this exhaustive review is complete can we meaningfully claim the software is reasonably secure. Today’s typical 1–2-week audit windows, however, fall dramatically short of the time required to manually vet millions of lines of code, exposing a fundamental gap -in our security assurance process. If an organization chooses to just use SAST, -it should not be surprised when it gets compromised by a supply chain attack. +in our security assurance process. If an organization chooses to only use SAST +and monitoring solutions, it should not be surprised when it gets compromised +by a supply chain attack. ## Summary @@ -109,10 +111,11 @@ given a long enough time horizon. * SAST is a feel good measure that is not sufficient for ensuring code security. -* If it can be done with the standard language library avoid adding dependencies. +* If it can be done with the standard language library, avoid adding +dependencies. * Evaluate cost of using third party libraries based on how much it costs to -review them rather than assigning them cost of $0 as they are free to use. +review them rather than assigning them cost of $0 as though they are free to use. * Consider donating to maintainers of your most important third party dependencies, both for development, and to pay for security assessments.