Researchers from Checkmarx have identified a new technique of supply chain attacks in Open Source ecosystems. This method allows attackers to insert hidden malicious code through manipulations in the command line (CLI). These attacks are increasingly dangerous as they can evade detection by traditional security measures.
Software developers commonly use “entry points” to streamline their work with packages. However, hackers can exploit these entry points to execute harmful commands when using standard tools. This approach does not necessitate a complete system breach at once but involves gradual infiltration, enhancing the likelihood of bypassing security protocols.
An example of such an attack is Command Jacking, where attackers substitute popular commands like “AWS” or “Docker.” With a successful attack, hackers can compromise accounts or steal sensitive data from companies deploying cloud infrastructure.
Even system commands like LS or Curl can be targeted. If a malicious package is specified in the priority path of the Path variable, the user unwittingly triggers the malicious code. This poses a significant threat in development environments where local directories often take precedence.
Attackers utilize the Command Wrapping technique to enhance stealth. By creating a wrapper around genuine commands, the malicious code can execute discreetly, producing the expected outcome and avoiding suspicion.
Furthermore, hackers are focusing on popular development tools such as Pytest and Flake8. By crafting malicious plugins, they can interfere with testing and code checking processes, leaving vulnerabilities undetected.
Of particular concern are “.whl” package formats that differ from traditional “.tar.gz” formats by not executing scripts during installation, complicating attackers’ work. However, with entry points, attackers can circumvent this limitation and execute code when specific commands are invoked.
Entry points pose a threat not only in Python but also in other ecosystems like NPM, Ruby Gems, Nuget, Rust Crates, and Dart Pub. This underscores the importance of bolstering security measures across all development and deployment stages.
Some Incident Response (IR) teams are already proactively monitoring Open Source projects for suspicious activities, with a specific focus on scrutinizing entry points to identify and mitigate potential threats. Timely detection of such attacks is crucial to safeguarding developers and enterprises from sophisticated supply chain attacks.