Supply Chain Breaches Can Exploit Entryways in Python, npm, and Open-Source Ecosystems
Online protection investigators have discovered that entryways could be misused throughout various programming environments such as PyPI, npm, Ruby Gems, NuGet, Dart Pub, and Rust Crates to carry out software supply chain breaches.
“Criminals can utilize these entryways to trigger malevolent code when specific instructions are executed, presenting a widespread danger in the open-source domain,” researched Yehuda Gelb and Elad Rapaport from Checkmarx stated in a study shared with The Hacker News.
The software supply chain security firm highlighted that entry-point breaches provide assailants a more cunning and lasting approach to infiltrate systems in a manner that can surpass conventional security barriers.
In a programming language such as Python, entry points refer to a packaging tool that permits developers to expose certain functions as a command-line wrapper (also known as console_scripts). Alternatively, they can also be utilized to load plugins that enhance a package’s capabilities.
Checkmarx also mentioned that while entry points serve as an effective way to enhance modularity, this same feature could be exploited to distribute malevolent code to unsuspecting users. Some of the potential scenarios include command-hijacking and generating unauthorized plugins for various tools and frameworks.
Command-hijacking takes place when fake packages use entry points that impersonate popular third-party tools and commands (e.g., aws and docker), thereby collecting confidential information when developers install the package, even if it’s distributed as a wheel (.whl) file.
Some of the extensively used third-party commands that could be possible targets for command-hijacking include npm, pip, git, kubectl, terraform, gcloud, heroku, and dotnet.
A second form of command-hijacking can also manifest when offenders utilize legitimate system command names (e.g., touch, curl, cd, ls, and mkdir) as entry points to takeover the command execution flow.
“The success of this strategy primarily hinges on the PATH sequence,” the researchers highlighted. “In situations where the directory containing the malevolent entry points is positioned before the system directories in the PATH, the harmful command will be executed instead of the system command. This is more likely to happen in development settings where local package directories are given higher priority.”
That’s not all. Checkmarx discovered that the effectiveness of command-hijacking can be further enhanced by a more clandestine method known as command wrapping, which involves creating an entry point that functions as a covering around the original command, rather than completely replacing it.
What adds to the potency of this method is that it discreetly runs the malevolent code while simultaneously invoking the original, lawful command and delivering the outcomes of the execution, thereby enabling it to operate under the radar.
“Since the lawful command still operates and its output and behavior remain intact, there are no immediate indicators of a breach, making it extremely challenging to identify the attack through regular usage,” the researchers underscored. “This covert approach enables attackers to sustain prolonged access and potentially extract confidential data without raising suspicion.”
Another assault approach using entry points involves crafting malevolent plugins and enhancements for developer tools that possess the ability to gain extensive access to the codebase itself, thereby granting malicious entities a chance to manipulate program behavior or tamper with the testing process to make it appear as if the code is functioning as desired.
“Looking forward, it’s imperative to establish comprehensive security measures that address the exploitation of entry points,” the researchers urged. “By comprehending and mitigating these risks, we can strive towards a more secure Python packaging environment, shielding both individual developers and corporate systems from sophisticated supply chain breaches.”
This revelation comes as Sonatype, in its annual State of the Software Supply Chain report, disclosed that over 512,847 malicious packages have been detected across open-source ecosystems for Java, JavaScript, Python, and .NET since November 2023, marking a 156% surge year-over-year.
“Conventional security solutions frequently fall short in identifying these innovative attacks, leaving developers and automated build environments highly exposed,” the company highlighted. “This has led to a new wave of advanced supply chain attacks that target developers directly, bypassing existing defenses.”
About Author
