From 3a603cc37c774cce781b714ad0dbaaad6ec0bd0b Mon Sep 17 00:00:00 2001 From: Anton Livaja Date: Fri, 13 Jun 2025 06:26:51 -0700 Subject: [PATCH] minor fixes, thanks satoqz --- _posts/2025-06-07-package-managers.md | 16 ++++++++-------- 1 file changed, 8 insertions(+), 8 deletions(-) diff --git a/_posts/2025-06-07-package-managers.md b/_posts/2025-06-07-package-managers.md index ff4e80e..e4b6689 100644 --- a/_posts/2025-06-07-package-managers.md +++ b/_posts/2025-06-07-package-managers.md @@ -48,12 +48,12 @@ attackers design their attacks to evade detection. The [SolarWinds attack](http: occured despite sophisticated monitoring and SAST systems at one of the leading cybersecurity firms in the world. The nature of that compromise is such that full code review likely wouldn't have prevented the attack, reproducible builds -would have, but the point is that there is an over-reliance on monitoring. -"Nobody else reviews all their dependencies" - yes, and that's why the -compromises keep happening so frequently and why attackers spend so much energy -on this attack vector. According to a study by [ReversingLabs](https://web.archive.org/web/20240806233532/https://3375217.fs1.hubspotusercontent-na1.net/hubfs/3375217/Documents/The-State-of-Software-Supply-Chain-Security-2024.pdf), -there has been a 1300% increase in the number of threats in software packages -between 2020 and 2023 alone. +would have (more on that another time), but the point is that there is an +over-reliance on monitoring. "Nobody else reviews all their dependencies" - yes, +and that's why the compromises keep happening so frequently and why attackers +spend so much energy on this attack vector. According to a study by +[ReversingLabs](https://web.archive.org/web/20240806233532/https://3375217.fs1.hubspotusercontent-na1.net/hubfs/3375217/Documents/The-State-of-Software-Supply-Chain-Security-2024.pdf), there has been a 1300% increase +in the number of threats in software packages between 2020 and 2023 alone. ## Getting Pwned via Package Managers @@ -61,7 +61,7 @@ There is nothing sophisticated or mysterious about how introducing non-vetted code into an application results in compromise. If a function is imported and used, its entire call stack comes along with it - which could be hiding undesirable behavior. It gets worse because package managers such as `npm` and -`pypi` can often result in full system compromise during the installation step, +`pip` can often result in full system compromise during the installation step, before even running any application code. Both of these package managers run installation life-cycle scripts, which are executed with user permissions. Many attacks rely on this, and leverage these scripts to run arbitrary code on the @@ -81,7 +81,7 @@ So next time when installing a package, consider what is being installed. The issue is that it's usually not just the top level dependency that will end up being installed - there are often many sub-dependencies, and package managers like npm will run the installation lifecycle scripts of each one. Of course this -isn't unique to `npm`, and `pypi`, they are just highlighted as some they are +isn't unique to `npm`, and `pip`, they are just highlighted as some they are widely used, but this applies to package managers and third party code in general.