The document discusses various security issues in software dependencies, particularly focusing on npm and related ecosystems. It highlights various attack vectors including typosquatting, dependency confusion, and software vulnerabilities, along with recommendations for maintaining security awareness among developers. The importance of using official sources, enabling two-factor authentication, and implementing proper infrastructure security practices is emphasized to mitigate risks.

1. Mateusz Olejarka
SecuRing
Deweloper na cyfrowym
celowniku, edycja 2023

4. https://socket.dev/blog/npm-registry-spam-john-wick

5. BIO
• Principal Security Consultant @ SecuRing
• Head of Web Security
• Co-author of Security Aware Developer
training
• Ex-developer

7. Agenda
• Attacks on libraries
• Attacks on tools
• Attacks on infrastructure
• Defence

8. Attacks on
libraries
https://flickr.com/photos/29233640@N07/

9. Complexity
https://sambleckley.com/writing/npm.html

10. Complexity
https://sambleckley.com/writing/npm.html

11. Fun fact
https://www.npmjs.com/package/-

12. Fun fact
https://cdn.jsdelivr.net/npm/-@0.0.1/

13. Fun fact
https://web.archive.org/web/20201118151234/https://www.npmjs.com/package/-

14. Interview
I mean no harm to anyone in any way
https://www.bleepingcomputer.com/news/software/empty-npm-package-has-over-700-000-downloads-heres-why/

15. Interview
Parzhitsky agrees [...] that the unusually high number of
downloads can most likely be attributed to developers
making typos

16. Attacks on libraries
• Typosquatting
• Dependency confusion
• Maintainer’s account takeover
• Protestware

17. Typosquatting
https://www.npmjs.com/package/electorn

18. electron
electorn
Typosquatting

19. https://www.mend.io/resources/blog/cybercriminals-targeted-users-of-packages-with-a-total-of-1-5-billion-weekly-downloads-on-npm
Typosquatting

20. Typosquatting + adware
https://socket.dev/blog/whats-in-your-npm-stat-counter

21. Typosquatting
https://www.iqt.org/bewear-python-typosquatting-is-about-more-than-typos/

22. Typosquatting
and many more…

23. Dependency Confusion

24. Dependency Confusion
What happens if malicious code is uploaded to npm under
these names?
Is it possible that some of PayPal’s internal projects will
start defaulting to the new public packages instead of the
private ones?
https://medium.com/@alex.birsan/dependency-confusion-4a5d60fec610

25. Maintainer’s account takeover

26. Maintainer’s account takeover
https://my.diffend.io/npm/ua-parser-js/0.7.28/0.7.29

27. Maintainer’s account takeover

28. Maintainer’s account takeover

29. Maintainer’s account takeover

30. Maintainer’s account takeover

31. Maintainer’s account takeover

32. Maintainer’s account takeover

33. Maintainer’s account takeover

34. Maintainer’s account takeover

36. Maintainer’s account takeover
https://www.mend.io/resources/blog/popular-cryptocurrency-exchange-dydx-has-had-its-npm-account-hacked/

37. Expired domain
https://twitter.com/lrvick/status/1523774962909298690

38. Expired domain
https://www.npmjs.com/package/foreach

39. Expired domain
https://github.com/manuelstofer/foreach/commit/644640c4c84abc415140b00c3629084e982f2182

40. colors and faker
https://my.diffend.io/npm/colors/1.4.0/1.4.44-liberty-2

41. colors and faker
https://www.bleepingcomputer.com/news/security/dev-corrupts-npm-libs-colors-and-faker-breaking-thousands-of-apps/

42. Protestware
https://www.npmjs.com/package/node-ipc

43. Protestware
https://my.diffend.io/npm/node-ipc/10.1.0/10.1.1

44. Protestware
https://api.ipgeolocation.io/ipgeo?apiKey=[cut]
./
../
../../
/
country_name
russia
belarus

45. ❤️
❤️

46. Protestware
https://snyk.io/blog/peacenotwar-malicious-npm-node-ipc-package-vulnerability/

47. https://blog.sonatype.com/all?q=package
Some numbers
Packages flagged as malicious, suspicious, or
dependency confusion attacks in npm and PyPi:
October 7, 2022 ~100
October 14, 2022 ~50
October 21, 2022 ~40
October 28, 2022 ~70
Weekly in September ~89
Weekly in October ~65

48. Attacks on
tools
https://flickr.com/photos/danielmee/

49. Attacks on Tools
• Codecov
• Homebrew
• npm
• Ruby Gems

50. On Thursday, April 1, 2021, we learned that someone had
gained unauthorized access to our Bash Uploader script
and modified it without our permission.

51. This customer was using the shasum that is available on
our Bash Uploader to confirm the integrity of the uploader
fetched from https://codecov.io/bash.

52. https://docs.codecov.com/docs/about-the-codecov-bash-uploader

53. https://gist.github.com/davidrans/ca6e9ffa5865983d9f6aa00b7a4a1d10

55. Our use of Codecov’s Bash Uploader script was limited: it
was set up on a single CI server used to test and build some
internal tooling […].
We were not using Codecov on any CI server used for
product code.
https://www.rapid7.com/blog/post/2021/05/13/rapid7s-response-to-codecov-incident/

56. While investigation has not revealed evidence of
unauthorized usage of the exposed GPG key, it has been
rotated in order to maintain a trusted signing mechanism
https://discuss.hashicorp.com/t/hcsec-2021-12-codecov-security-event-and-hashicorp-gpg-key-exposure/23512

57. https://news.ycombinator.com/item?id=26819983

58. Homebrew
In the Homebrew/homebrew-cask repository, it was
possible to merge the malicious pull request by confusing
the library that is used in the automated pull request
review script developed by the Homebrew project.
https://blog.ryotak.me/post/homebrew-security-incident-en/

59. Homebrew
This is due to a flaw in the git_diff dependency of the
review-cask-pr GitHub Action, which is used to parse a pull
request’s diff for inspection.
Due to this flaw, the parser can be spoofed into
completely ignoring the offending lines, resulting in
successfully approving a malicious pull request.

60. Homebrew
By abusing it, an attacker could execute arbitrary Ruby codes on users'
machine who uses brew.
The discovered vulnerability would allow an attacker to inject arbitrary
code into a cask and have it be merged automatically

61. Second, on November 2 we received a report to our security bug
bounty program of a vulnerability that would allow an attacker to
publish new versions of any npm package using an account without
proper authorization
https://github.blog/2021-11-15-githubs-commitment-to-npm-ecosystem-security/

62. We determined that this vulnerability was due to inconsistent
authorization checks and validation of data across several
microservices that handle requests to the npm registry.

63. This vulnerability existed in the npm registry beyond the timeframe
for which we have telemetry to determine whether it has ever been
exploited maliciously.

64. However, we can say with high confidence that this vulnerability has
not been exploited maliciously during the timeframe for which we
have available telemetry, which goes back to September 2020

65. Ruby Gems
An ordering mistake in the code that accepts gem uploads allowed
some gems […] to be temporarily replaced in the CDN cache by a
malicious package
https://github.com/rubygems/rubygems.org/security/advisories/GHSA-2jmx-8mh8-pm8w

66. Ruby Gems
1. An attacker could guess the next version number, and create a gem
with the name sorbet-static-0.5.9996-universal-darwin and version
number 20.

67. Ruby Gems
2. With a crafted invalid gemspec, it was possible to coerce
RubyGems.org to save that gem to S3 without creating a matching
database record.

68. Ruby Gems
3. Later, the real sorbet-static gem would release version 0.5.9996 as
usual, and the attacker-controlled file would be overwritten on S3.

69. Ruby Gems
4. However, if the attacker had already primed the Fastly CDN cache
by requesting their malicious gem, Fastly would continue to serve the
old, malicious package.

70. Attacks on
infrastructure
https://flickr.com/photos/quinnanya/

71. Attacks on infrastructure
• PHP
• GitHub
• GitHub

72. Yesterday (2021-03-28) two malicious commits were pushed to the
php-src repo [1] from the names of Rasmus Lerdorf and myself.
We don't yet know how exactly this happened, but everything points
towards a compromise of the git.php.net server (rather than a
compromise of an individual git account).
https://news-web.php.net/php.internals/113838

75. Something I was not aware of at the time is that git.php.net (intentionally)
supported pushing changes not only via SSH […] but also via HTTPS.
The latter did not use gitolite, and instead used git-http-backend behind Apache2
Digest authentication against the master.php.net user database.
https://news-web.php.net/php.internals/113981

77. It is notable that the attacker only makes a few guesses at usernames,
and successfully authenticates once the correct username has been
found.
While we don't have any specific evidence for this, a possible
explanation is that the user database of master.php.net has been
leaked

78. The master.php.net system, which is used for authentication and
various management tasks, was running very old code on a very old
operating system
/
PHP version, so some kind of vulnerability would not be terribly
surprising.

79. On April 12, GitHub Security began an investigation that uncovered
evidence that an attacker abused stolen OAuth user tokens issued to
two third-party OAuth integrators, Heroku and Travis-CI, to download
data from dozens of organizations, including npm.
https://github.blog/2022-04-15-security-alert-stolen-oauth-user-tokens/

80. Our analysis of other behavior by the threat actor suggests that the
actors may be mining the downloaded private repository contents, to
which the stolen OAuth token had access, for secrets that could be
used to pivot into other infrastructure.

81. GitHub contacted Heroku and Travis-CI to request that they initiate
their own security investigations, revoke all OAuth user tokens
associated with the affected applications, and begin work to notify
their own users.

82. We do not believe the attacker obtained these tokens via a
compromise of GitHub or its systems, because the tokens in question
are not stored by GitHub in their original, usable formats.

83. On April 7, 2022, a threat actor obtained access to a Heroku database
and downloaded stored customer GitHub integration OAuth tokens.
Access to the environment was gained by leveraging a compromised
token for a Heroku machine account.
https://status.heroku.com/incidents/2413

84. On that same day, the threat actor downloaded data from another
database that stores pipeline-level config vars for Review Apps and
Heroku CI.
Additionally, another small subset of Heroku users had their Heroku
tokens exposed in a config var for a pipeline.

85. On April 15, 2022, Travis CI personnel were informed that certain
private customer repositories may have been accessed by an
individual who used a man-in-the-middle 2FA attack, leveraging a
third-party integration token.
https://blog.travis-ci.com/2022-04-17-securitybulletin

86. Upon further review that same day, Travis CI personnel learned that
the hacker breached a Heroku service and accessed a private
application OAuth key used to integrate the Heroku and Travis CI
application.

87. Travis CI immediately revoked all authorization keys and tokens
preventing any further access to our systems. No customer data was
exposed and no further access was possible.

88. This week, we discovered that GitHub.com’s RSA SSH private key was
briefly exposed in a public GitHub repository.
We immediately acted to contain the exposure and began investigating
to understand the root cause and impact.
https://github.blog/2023-03-23-we-updated-our-rsa-ssh-host-key/

89. https://flickr.com/photos/143106192@N03/
Defence
https://www.flickr.com/photos/jamiedfw/

90. Libraries

91. Libraries
• Awareness

92. Libraries
• Awareness
• No typos ;)

93. Libraries
• Awareness
• No typos ;)
• Use tools to detect malicious dependencies

94. Libraries
• Awareness
• No typos ;)
• Use tools to detect malicious dependencies
• Download from official sources

95. Libraries
• Awareness
• No typos ;)
• Use tools to detect malicious dependencies
• Download from official sources
• When not sure do not install

96. Libraries
• Awareness
• No typos ;)
• Use tools to detect malicious dependencies
• Download from official sources
• When not sure do not install
• Enable 2FA (as a maintainer)

97. Enforcing 2FA
• Top 100 packages
• Started on: 1.02.2022
•Packages classified
as critical: ~4000
•Started on:
8.07.2022
• Top 100 packages
• Started on:
15.08.2022

98. Enforcing 2FA
https://p.datadoghq.com/sb/7dc8b3250-389f47d638b967dbb8f7edfd4c46acb1?from_ts=1662376975438&to_ts=1662463375438&live=true

99. Enforcing 2FA
https://pypistats.org/packages/atomicwrites

100. What can go wrong with enforcing 2fa?
https://github.com/untitaker/python-atomicwrites/issues/61

101. atomicwrites
I'd rather just write code for fun and only worry about supply chain
security when I'm actually paid to do so.

102. Libraries
• Awareness
• No typos ;)
• Use tools to detect malicious dependencies
• Download from official sources
• When not sure do not install
• Enable 2FA (as a maintainer)

103. https://jeremylong.github.io/DependencyCheck/

104. https://jeremylong.github.io/DependencyCheck/

105. pip-audit
https://pypi.org/project/pip-audit/

106. npm-audit

107. npm-audit

108. Safe npm
https://socket.dev/blog/introducing-safe-npm

109. Google Assured Open Source Software
https://cloud.google.com/assured-open-source-software

110. Tools

111. Tools
• I will not download and run scripts directly
from the net

112. Tools
• I will not download and run scripts directly
from the net
• I will verify checksums and signatures of
downloaded files

113. Tools
• I will not download and run scripts directly
from the net
• I will verify checksums and signatures of
downloaded files
• I will install only from official sources

114. Tools
• I will not download and run scripts directly
from the net
• I will verify checksums and signatures of
downloaded files
• I will install only from official sources
• I will update frequently what I’ve already
installed

115. Tools
• I will not download and run scripts directly
from the net
• I will verify checksums and signatures of
downloaded files
• I will install only from official sources
• I will update frequently what I’ve already
installed

116. Infrastructure

117. Infrastructure
• Keep good inventory, especially of what is in
the clouds

118. Infrastructure
• Keep good inventory, especially of what is in
the clouds
• Disable/shutdown what’s unused

119. Infrastructure
• Keep good inventory, especially of what is in
the clouds
• Disable/shutdown what’s unused
• Secure configurations

120. Infrastructure
• Keep good inventory, especially of what is in
the clouds
• Disable/shutdown what’s unused
• Secure configurations
• Frequently update (to fix known issues)

121. Infrastructure
• Keep good inventory, especially of what is in
the clouds
• Disable/shutdown what’s unused
• Secure configurations
• Frequently update (to fix known issues)
• Monitor, monitor, monitor

122. Infrastructure
• Keep good inventory, especially of what is in
the clouds
• Disable/shutdown what’s unused
• Secure configurations
• Frequently update (to fix known issues)
• Monitor, monitor, monitor

123. Final words
• Trust but always verify
• K.I.S.S.
• RTFM
• Keep stuff up to date
• Keep your secrets secret (KYSS ;)

124. https://www.linkedin.com/in/molejarka/
https://twitter.com/molejarka

125. Wejdź w agendę
Oceń mój wykład
w aplikacji Eventory
Kliknij w wybrany wykład
Oceń