PyPI 및 npm에 5,000개가 넘는 의존성 혼란 카피캣이 쇄도함

newsroom 3/11 '21 posted 뉴스 IT

• 목표는 내부 라이브러리보다 외부 라이브러리를 선호하는 패키지 관리자로 구성된 기본값 때문에 개발자와 자동화 시스템을 속여 잘못된 라이브러리를 사용하도록 하는 것입니다.

• 개발자의 소프트웨어 관리 앱은 내부 코드 라이브러리보다 외부 코드 라이브러리를 선호하는 경우가 많아 신뢰할 수 있는 패키지가 아닌 악성 패키지를 다운로드하여 사용합니다.

• 리눅스 시스템의 /etc/shadow 경로에 저장된 파일은 시스템의 사용자 계정에 액세스하는 데 필요한 암호 해시를 저장합니다.

Newly Identified Dependency Confusion Packages Target Amazon, Zillow, and Slack; Go Beyond Just Bug Bounties [blog.sonatype.com]

PyPI and npm Flooded with over 5,000 Dependency Confusion Copycats [blog.sonatype.com]

CONTRAST LABS REVEALS DEPENDENCY CONFUSION VULNERABILITY IN MICROSOFT TEAMS [www.contrastsecurity.com]

Avoiding npm substitution attacks [github.blog]

A new type of supply-chain attack with serious consequences is flourishing [arstechnica.com]

newest replies popular replies

Open Wiki - Feel free to edit it. -

3/11 '21 answered

A new type of supply-chain attack with serious consequences is flourishing

Via:https://t.co/7jpEI74BHk

Source:https://t.co/QqiIbfg6cZ

Microsoft Guidance:https://t.co/Q8KU8OU5Jh pic.twitter.com/LG4LrjLhU2
— CK's Technology News (@CKsTechNews) March 8, 2021

Avoiding npm substitution attacks by @izs

TL;DR
1. Use scopes for internal packages.
2. Use a .npmrc file in the root of a project to set the intended registry.
3. Take care when proxying.
4. Respond quickly to build failures.https://t.co/8VBHeXxLHZ
— Adam Baldwin (@adam_baldwin) February 12, 2021

So by our calculations Dependency Confusion copycats number near 6k at this point, just yesterday we saw 1.5k more in npm. This follows well-established supply chain strategies. There is evidence not all of them are just security research. https://t.co/wXjkm5xAex
— Ilkka Turunen (@llkkaT) March 4, 2021

https://t.co/3o0obqmygC

Don't forget your if(true === true){console.log("true")}; package.

Can we replace JS package managers with something sane, yet?
— Trevor Seward (@NaupliusTrevor) March 6, 2021

More top-tier companies targeted by new type of potentially serious attack https://t.co/CLyUKPsW0h by @dangoodin001
— Ars Technica (@arstechnica) March 6, 2021

Article on the package substitution/name confusion attack on package managers to get malicious code into an engineering system - packages with names of internal packages but having malicious code that will get used if external favored over internal. https://t.co/vFCkEwgMO7
— Buck Hodges (@tfsbuck) March 7, 2021

PyPI and #npm flooded with ~5,000 dependency confusion packages named after popular #opensource components by a vigilante "to make everyone pay attention to software #supplychain attacks, because the risks are too great."https://t.co/hTF71daJpu
#devops #securitynews #DevSecOps pic.twitter.com/GdcxAVaLQw
— Ax Sharma (@Ax_Sharma) March 3, 2021

This is scary. I wonder if using a private npm namespace ("@\your-company") with a separately configured registry URL is enough to nerf it... I guess just make sure you also own that namespace on the public registry!https://t.co/Q7nYs7j8I8
— astro creep (@sambreed) February 10, 2021

So by our calculations Dependency Confusion copycats number near 6k at this point, just yesterday we saw 1.5k more in npm. This follows well-established supply chain strategies. There is evidence not all of them are just security research. https://t.co/wXjkm5xAex
— Ilkka Turunen (@llkkaT) March 4, 2021

PyPI and #npm flooded with ~5,000 dependency confusion packages named after popular #opensource components by a vigilante "to make everyone pay attention to software #supplychain attacks, because the risks are too great."https://t.co/hTF71daJpu
#devops #securitynews #DevSecOps pic.twitter.com/GdcxAVaLQw
— Ax Sharma (@Ax_Sharma) March 3, 2021

Avoiding #npm Substitution Attacks — Recently there have been some high profile examples of supply chain attacks on popular source code repositories, such as where fake or eponymous packages are published... || #JavaScript #NodeJS #WebDev https://t.co/VIdfWsUNdq pic.twitter.com/Teb8YXaArm
— Jay ????️ (@Jay52_TX) March 6, 2021

A new type of #supplychain attack with serious consequences is flourishing > https://t.co/iWHjNDpiD3 on @arstechnica #cybersecurity #security #cyberthreats #cyberattacks #databreaches #tech #business #leaders #leadership #CISO #CIO #CTO #CEO pic.twitter.com/jUOCF4hINs
— JC Gaillard (@Corix_JC) March 10, 2021

A new type of supply-chain attack with serious consequences is flourishing https://t.co/cElhAOr5pZ by @dangoodin001 @alxbrsn @Ax_Sharma @sonatype @contrastsec
— Elinor Mills (she/her) (@elinormills) March 8, 2021

? A new type of supply-chain attack with serious consequences is flourishing#cybersecurity
⁦@archonsec⁩ ⁦@BillMew⁩ ⁦@robmay70⁩ ⁦@digitalcloudgal⁩ https://t.co/cmuYQk6J3l
— Dr. ir Johannes Drooghaag (JD) ? (@DrJDrooghaag) March 7, 2021

It turns out that software is "curl | sh" all the way down: https://t.co/6inJn44RgN
— Kyle Rankin (@kylerankin) March 8, 2021

A new type of supply-chain attack with serious consequences is
flourishinghttps://t.co/0yHuXL8qev
— Sami Laiho (@samilaiho) March 7, 2021

"In weeks past, Apple, Microsoft, Tesla, and 32 other companies were targeted by a similar attack that allowed a security researcher to execute unauthorized code inside their networks." https://t.co/TdHjHg4oKn
— Martijn Rasser (@MartijnRasser) March 7, 2021

A new type of supply-chain attack with serious consequences is flourishing https://t.co/j6w62R0cmz
— The Cyber Security Hub™ (@TheCyberSecHub) March 6, 2021

“The goal of these attacks is to execute unauthorized code inside a target’s internal software build system. The technique works by uploading malicious packages to public code repositories and giving them a name that’s identical to a stored package”https://t.co/4b7M7HVCry
— John Hemmings (@JohnHemmings2) March 6, 2021

Sonatype에 따르면 의존성 혼동을 악용한 패키지가 npm에 5,000종 이상이고 합니다. https://t.co/ISUuf5S9Qe
— ?라루얀 / 말썽쟁이 구운 경단 ? (@LaruYan) March 7, 2021

permanent link

Featured

Important Notice: Discontinuation of Our Wiki Service

Dear Valued Users,

We hope this message finds you well. We are writing to inform you of an important upcoming change to our services. After careful consideration and analysis, we have made the difficult decision to discontinue our wiki site, effective one month from 2024/04/30.

This was not an easy decision to make, as we understand the importance of the resources and community that have been built around our wiki. However, due to evolving market conditions and strategic realignments, we must redirect our resources and efforts towards other ventures that will allow us to serve you better in the future.

What This Means for You:

Access to Content: You will continue to have full access to all content on the wiki until the discontinuation date. We encourage you to save or migrate any content you wish to retain.
Final Date of Service: The wiki will become inaccessible starting 1st June 2024, after which all content will be permanently removed.

We are immensely grateful for the support and contributions of our user community throughout the years. The wiki is being retired, but our team will be back soon with new services and apps.

Thank you for being a part of our journey.

Warm regards,

editoy Inc.

Related

Featured