To identify malicious packages and protect yourself against them, you need to know what to look for. Here’s a simple guide.
In January 2022, users of the popular open-source libraries “faker” and “colors” suddenly found their applications started to malfunction and display nonsensical data because they had been infected by a malicious package. Similarly, in October, an attacker unleashed a typosquatting campaign against users of 18 legitimate packages that collectively receive over 1.5 billion weekly downloads. The attack released 155 malicious packages into the npm repository. Its objective was to distribute and install a Trojan that stole passwords.
Malicious packages like these are designed to disrupt or disable their targets’ software and applications. They’re alarmingly easy to create and difficult to identify and avoid unless you know what you’re looking out for.
Although they’re not a new phenomenon, malicious packages are proliferating at a startling rate. In the Mend.io Software Supply Chain Malware Special Report, we found that the number of malicious packages published on npm and RubyGems rose by 315% from 2021 to 2022. We anticipate that this growth will continue.
Malicious packages are a type of malware that deceives unsuspecting users into downloading them. Once downloaded, they can cause serious damage to the systems that they target. They’re highly effective because their sources seem trustworthy, so users are inclined to download them.
The damage from these packages comes about because they provide an automated and easy way for malicious code to enter systems with little or no effort from attackers. Once a package is uploaded, it operates on its own and unleashes its ill effects. Bad news for users. Great news for attackers. It’s no wonder that there has been a surge in malicious packages.
Attackers use malicious packages to steal or erase data and transform applications into botnets once they’ve deceived users into downloading the packages. They achieve this in four main ways:
Given the relative novelty of malicious packages, attackers’ methods are fairly unsophisticated. Typically, they rely on four techniques:
The good news from a security perspective is that when attackers use a straightforward technique like network communication, it’s still reasonably easy to detect them, even when packages are successfully downloaded.
Nevertheless, attackers continually seek to make their techniques more effective and create newer, more complex ways to infiltrate target machines and systems. One example is telemetry for data collection. We anticipate that more and newer ways of creating and using malicious packages will be created.
Initially, it seems as though malicious packages are published randomly, and it’s arbitrary when attackers release them, but in fact, that isn’t the case.
Attackers try to maximize the effect of their malicious packages and optimize opportunities that they’ll get downloaded by timing their release. Our research found that Top of Form
Nearly 25% of malicious packages are published on Thursday afternoons. This could be because attackers realize that many cybersecurity companies are based in Israel, where the weekend is Friday and Saturday. So, they deliberately release these packages at a time when these vendors are winding down for the weekend.
The accessibility of open source software contributes significantly to the impact of malicious packages. Even people with relatively elementary programming skills can create these packages and publish the code to open source repositories that countless developers use. This is an environment that offers plenty of opportunities for malicious packages to get downloaded by unsuspecting users. It’s fertile ground from which malicious actors can launch successful attacks.
Therefore, understanding the implications of incorporating open source code into applications becomes crucial in this context. If you know the dangers, you can be vigilant and better prepared to protect your organization. A significant thing to bear in mind is that malicious packages pose an urgent threat, whereas vulnerabilities can lurk in a codebase for longer periods, sometimes without causing any deleterious effect. It’s therefore important to find and neutralize malicious packages as quickly and efficiently as possible.
Companies can harden their security posture against malicious packages in numerous ways, not least by prioritizing their software supply chain. It’s essential to scan all open source code repositories and libraries, to find and remediate vulnerabilities, and to identify and prevent attacks. The best way to do that is to use an automated scanning tool and accompany this with a software bill of materials (SBOM). While high-profile attacks like Log4j and the SolarWinds breach receive significant attention, they’re just a small proportion of the onslaught of attacks that applications face. The escalating threat posed by malicious package attacks increases the need to take a fresh approach to application security (AppSec). And that fresh approach requires implementing constant, automated AppSec so that organizations can stay ahead of attackers in the race to protect their software and avoid the damage that malicious packages can cause.