Displaying items by tag: npm

There is a topic of conversation that really needs to be talked about in the open. It is the danger of developer systems (personal and company owned) being targets of threat groups. It is a fact; it is not going away, and it is something that people need to consider as they plan out their own security programs. I say this on the heels of coming back from Def Con and hearing AI developers tell me they are not worried about abuse of their AI models (LLM or Statistical). The thought process was an attacker would have to go to too much trouble to have any impact on the model, it would not be worth it. While I can understand this line of thinking, I still feel that it is very wrong and short sighted.

Hey, remember that supply chain attack on NPM that happened recently? Which one? Yeah, that is sort of the problem with recent supply chain attacks. In particular the ones that are targeting the development pipeline. This is because they are starting to happen so often that they all blur together, yet NPM and other critical components of the development supply chain are still targets for attackers to either get their malicious packages onto development systems, or in the final compiled binary that is then sent out to the general public. To call this problematic is to describe a nuclear bomb as a big firecracker. Ok, soapbox on the importance of SDLC (Software Development Lifecycle) hygiene and security put away for now.

Supply chain attacks are all the rage right now (although certainly not new). These attacks are part of what appears to be a multi-pronged shift in the threat landscape. While attacks on the endpoint and users are still happening, we are also seeing expanded efforts in targeting edge devices, networking equipment, and an increased focus on open-source repositories. Recently a new campaign was discovered that is leveraging open-sourced software supply chain attacks in an effort to target the banking sector.

It has been a few days since we talked about NPM and node.js. The popular repository has been taking a bit of a beating in recent months as attackers, hacktivists, and others seek to compromise their packages as part of a general supply chain attack. Supply chain attacks are in vouge right now and are part of the reason you might be seeing the acronym SBOM (Software Build of Materials) so much. Sure, SBOM is not a new term, but the push for it and the rise of an entire vertical in the cybersecurity industry is new and should be a bit of an indicator that there is a problem.

If there is one thing you can say about modern threat groups, it is that they are clever. The new tactics and techniques they identify, and implement are impressive. A recent technique identified is the use of abandoned S3 buckets. The attackers search for and locate S3 buckets that are no longer in use and claim them as their own. If the bucket happens to be part of an existing or previous deployment workflow, so much the better. Checkmarx recently identified a supply chain attack that involved this type of scenario. The attackers took claimed an abandoned S3 bucket for an NPM package called bignum.

Attackers are always looking to get targets coming and going. As such you have a very rich ecosystem of attack types to cover as much ground as possible. A concerning one has always been direct supply chain attacks. These attacks seek to compromise software during the development stage, so the malicious pieces get bundled into the released code and signed with a trusted certificate. The highly publicized attack on SolarWinds is one of those types of attacks and shows just how effective and dangerous they can be. Supply chain attacks some in multiple flavors including (but certainly not limited to) compromising code repositories, poisoned plugins or open-source packages, and targeting of developer systems.

A new flaw has been identified in the Node.js package manager, NPM. The flaw is being described as a logical flaw, but in reading over the data it seems more like a permissions flaw. The good news is that as of April 26, the flaw has been addressed by NPM, the bad is that it was in play until then. According to the researchers that discovered it, the flaw related to the way you can attach other accounts to an uploaded package.

The Open Source community has been one that many leverage to help build their applications. It has become a great place to find applications packages that make building out a larger application or eco systems less time consuming. We see this in just about every development space from large to small. Having helpful sources of working code can speed up the development lifecycle and allow for greater interoperability as many applications use the same dependencies and core functions. The open source community is a great resource and typically is one that you can trust to pull code from.

Since the beginning of the Russian invasion of Ukraine we have seen a massive increase in what can only be called cyber warfare. This battle is not just being fought at the state level though. Even APT groups have gotten involved as they take sides in the conflict. One step down from that (and only a very small step) we see the hacktivists jumping into the fray on both sides. Now, we see a new and unexpected form of protest from the open source community.