public
/
website
5
0
Fork 0
Code Issues 6 Pull Requests 4 Packages Projects Releases Wiki Activity

feat: package managers supply chain blog draft #41

Open
anton wants to merge 7 commits from anton/blog/package-managers into main
pull from: anton/blog/package-managers
merge into: public:main
Conversation 0 Commits 7 Files Changed 2 +8 -8
1 changed files with 8 additions and 8 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files
Showing only changes of commit 3a603cc37c - Show all commits

16
_posts/2025-06-07-package-managers.md
View File

@ -48,12 +48,12 @@ attackers design their attacks to evade detection. The [SolarWinds attack](http:
occured despite sophisticated monitoring and SAST systems at one of the leading
cybersecurity firms in the world. The nature of that compromise is such that
full code review likely wouldn't have prevented the attack, reproducible builds
would have, but the point is that there is an over-reliance on monitoring.
"Nobody else reviews all their dependencies" - yes, and that's why the
compromises keep happening so frequently and why attackers spend so much energy
on this attack vector. According to a study by [ReversingLabs](https://web.archive.org/web/20240806233532/https://3375217.fs1.hubspotusercontent-na1.net/hubfs/3375217/Documents/The-State-of-Software-Supply-Chain-Security-2024.pdf),
there has been a 1300% increase in the number of threats in software packages
between 2020 and 2023 alone.
would have (more on that another time), but the point is that there is an
over-reliance on monitoring. "Nobody else reviews all their dependencies" - yes,
and that's why the compromises keep happening so frequently and why attackers
spend so much energy on this attack vector. According to a study by
[ReversingLabs](https://web.archive.org/web/20240806233532/https://3375217.fs1.hubspotusercontent-na1.net/hubfs/3375217/Documents/The-State-of-Software-Supply-Chain-Security-2024.pdf), there has been a 1300% increase
in the number of threats in software packages between 2020 and 2023 alone.
## Getting Pwned via Package Managers
@ -61,7 +61,7 @@ There is nothing sophisticated or mysterious about how introducing non-vetted
code into an application results in compromise. If a function is imported and
used, its entire call stack comes along with it - which could be hiding
undesirable behavior. It gets worse because package managers such as `npm` and
`pypi` can often result in full system compromise during the installation step,
`pip` can often result in full system compromise during the installation step,
before even running any application code. Both of these package managers run
installation life-cycle scripts, which are executed with user permissions. Many
attacks rely on this, and leverage these scripts to run arbitrary code on the
@ -81,7 +81,7 @@ So next time when installing a package, consider what is being installed. The
issue is that it's usually not just the top level dependency that will end up
being installed - there are often many sub-dependencies, and package managers
like npm will run the installation lifecycle scripts of each one. Of course this
isn't unique to `npm`, and `pypi`, they are just highlighted as some they are
isn't unique to `npm`, and `pip`, they are just highlighted as some they are
widely used, but this applies to package managers and third party code in
general.