icon

Building your digital trust here.

We are dedicated to securing the applications driving our world. We help companies build and scale strong, resilient digital trust while ensuring compliance with industry standards and regulations. Our advanced solutions provide comprehensive protection from code to cloud.

November 2024 in Software Supply Chain Security

November 2024 in Software Supply Chain Security

In November 2024, supply chain attacks featured two key trends: attackers’ persistent use of “legitimate-first” package strategies and creative approaches like exploiting official documentation. Cryptocurrency remained the primary target through both credential theft and mining operations.

Let’s delve into some of the most striking events of November:

Dozens of Machines Infected: Year-Long NPM Supply Chain Attack Combines Crypto Mining and Data Theft

A malicious NPM package, masquerading as a legitimate XML-RPC implementation, operated for over a year—stealing data and mining cryptocurrency. Dozens of systems were affected. (Link to report).

xml-rpc attack flowxml-rpc attack flow
xml-rpc attack flow

Malicious NPM Package Exploits React Native Documentation Example

An attacker published a malicious NPM package that mirrors an example from React Native’s official documentation, in an attempt to trick developers following the official guide. This highlights the need for careful package verification even when following official guides. (Link to report).

From React Native’s official documentationFrom React Native’s official documentation
From React Native’s official documentation
Malicious npm package mirroring example from React Native’s official documentationMalicious npm package mirroring example from React Native’s official documentation
Malicious npm package mirroring example from React Native’s official documentation

Falling Stars

Two years after the discovery of StarJacking, an analysis of 21 package repositories reveals improved security measures against this threat—though the risk still persists in some repositories. (Link to report).

Example of PyPi ecosystem process - adding verification of the package metadata.Example of PyPi ecosystem process - adding verification of the package metadata.
Example of PyPi ecosystem process – adding verification of the package metadata.

“aiocpa” Python Package Transforms From Legitimate Package to Crypto Thief

In November 2024, PyPI published an advisory about the aiocpa package, which was compromised when versions 0.1.13 and 0.1.14 introduced obfuscated malware designed to steal cryptocurrency credentials via Telegram. The attack was notable for its patience – the attacker maintained a legitimate package for months before adding malware, while keeping the GitHub repository clean. With thousands of downloads in its final month, aiocpa joins a growing trend where attackers establish legitimate packages before weaponizing them, in most cases to target cryptocurrency assets.

*   *   *

Our team will continue to hunt, squash attacks, and remove malicious packages in our effort to keep the open-source ecosystem safe.

I encourage you to stay up to date with the latest trends and tactics in software supply chain security by tuning into our future posts and learning how to defend against potential threats.

Stay tuned…

Checkmarx Supply Chain Security,

Working to Keep the Open Source Ecosystem Safe


Source link

Leave a Reply

Votre adresse e-mail ne sera pas publiée. Les champs obligatoires sont indiqués avec *