PyPI 및 npm에 5,000개가 넘는 의존성 혼란 카피캣이 쇄도함

newsroom 3/11 '21 posted 뉴스 IT

• 목표는 내부 라이브러리보다 외부 라이브러리를 선호하는 패키지 관리자로 구성된 기본값 때문에 개발자와 자동화 시스템을 속여 잘못된 라이브러리를 사용하도록 하는 것입니다.

• 개발자의 소프트웨어 관리 앱은 내부 코드 라이브러리보다 외부 코드 라이브러리를 선호하는 경우가 많아 신뢰할 수 있는 패키지가 아닌 악성 패키지를 다운로드하여 사용합니다.

• 리눅스 시스템의 /etc/shadow 경로에 저장된 파일은 시스템의 사용자 계정에 액세스하는 데 필요한 암호 해시를 저장합니다.

Newly Identified Dependency Confusion Packages Target Amazon, Zillow, and Slack; Go Beyond Just Bug Bounties [blog.sonatype.com]

PyPI and npm Flooded with over 5,000 Dependency Confusion Copycats [blog.sonatype.com]

CONTRAST LABS REVEALS DEPENDENCY CONFUSION VULNERABILITY IN MICROSOFT TEAMS [www.contrastsecurity.com]

Avoiding npm substitution attacks [github.blog]

A new type of supply-chain attack with serious consequences is flourishing [arstechnica.com]

newest replies popular replies

Open Wiki - Feel free to edit it. -

3/11 '21 answered

A new type of supply-chain attack with serious consequences is flourishing

Via:https://t.co/7jpEI74BHk

Source:https://t.co/QqiIbfg6cZ

Microsoft Guidance:https://t.co/Q8KU8OU5Jh pic.twitter.com/LG4LrjLhU2
— CK's Technology News (@CKsTechNews) March 8, 2021

Avoiding npm substitution attacks by @izs

TL;DR
1. Use scopes for internal packages.
2. Use a .npmrc file in the root of a project to set the intended registry.
3. Take care when proxying.
4. Respond quickly to build failures.https://t.co/8VBHeXxLHZ
— Adam Baldwin (@adam_baldwin) February 12, 2021

So by our calculations Dependency Confusion copycats number near 6k at this point, just yesterday we saw 1.5k more in npm. This follows well-established supply chain strategies. There is evidence not all of them are just security research. https://t.co/wXjkm5xAex
— Ilkka Turunen (@llkkaT) March 4, 2021

https://t.co/3o0obqmygC

Don't forget your if(true === true){console.log("true")}; package.

Can we replace JS package managers with something sane, yet?
— Trevor Seward (@NaupliusTrevor) March 6, 2021

More top-tier companies targeted by new type of potentially serious attack https://t.co/CLyUKPsW0h by @dangoodin001
— Ars Technica (@arstechnica) March 6, 2021

Article on the package substitution/name confusion attack on package managers to get malicious code into an engineering system - packages with names of internal packages but having malicious code that will get used if external favored over internal. https://t.co/vFCkEwgMO7
— Buck Hodges (@tfsbuck) March 7, 2021

PyPI and #npm flooded with ~5,000 dependency confusion packages named after popular #opensource components by a vigilante "to make everyone pay attention to software #supplychain attacks, because the risks are too great."https://t.co/hTF71daJpu
#devops #securitynews #DevSecOps pic.twitter.com/GdcxAVaLQw
— Ax Sharma (@Ax_Sharma) March 3, 2021

This is scary. I wonder if using a private npm namespace ("@\your-company") with a separately configured registry URL is enough to nerf it... I guess just make sure you also own that namespace on the public registry!https://t.co/Q7nYs7j8I8
— astro creep (@sambreed) February 10, 2021

So by our calculations Dependency Confusion copycats number near 6k at this point, just yesterday we saw 1.5k more in npm. This follows well-established supply chain strategies. There is evidence not all of them are just security research. https://t.co/wXjkm5xAex
— Ilkka Turunen (@llkkaT) March 4, 2021

PyPI and #npm flooded with ~5,000 dependency confusion packages named after popular #opensource components by a vigilante "to make everyone pay attention to software #supplychain attacks, because the risks are too great."https://t.co/hTF71daJpu
#devops #securitynews #DevSecOps pic.twitter.com/GdcxAVaLQw
— Ax Sharma (@Ax_Sharma) March 3, 2021

Avoiding #npm Substitution Attacks — Recently there have been some high profile examples of supply chain attacks on popular source code repositories, such as where fake or eponymous packages are published... || #JavaScript #NodeJS #WebDev https://t.co/VIdfWsUNdq pic.twitter.com/Teb8YXaArm
— Jay ????️ (@Jay52_TX) March 6, 2021

A new type of #supplychain attack with serious consequences is flourishing > https://t.co/iWHjNDpiD3 on @arstechnica #cybersecurity #security #cyberthreats #cyberattacks #databreaches #tech #business #leaders #leadership #CISO #CIO #CTO #CEO pic.twitter.com/jUOCF4hINs
— JC Gaillard (@Corix_JC) March 10, 2021

A new type of supply-chain attack with serious consequences is flourishing https://t.co/cElhAOr5pZ by @dangoodin001 @alxbrsn @Ax_Sharma @sonatype @contrastsec
— Elinor Mills (she/her) (@elinormills) March 8, 2021

? A new type of supply-chain attack with serious consequences is flourishing#cybersecurity
⁦@archonsec⁩ ⁦@BillMew⁩ ⁦@robmay70⁩ ⁦@digitalcloudgal⁩ https://t.co/cmuYQk6J3l
— Dr. ir Johannes Drooghaag (JD) ? (@DrJDrooghaag) March 7, 2021

It turns out that software is "curl | sh" all the way down: https://t.co/6inJn44RgN
— Kyle Rankin (@kylerankin) March 8, 2021

A new type of supply-chain attack with serious consequences is
flourishinghttps://t.co/0yHuXL8qev
— Sami Laiho (@samilaiho) March 7, 2021

"In weeks past, Apple, Microsoft, Tesla, and 32 other companies were targeted by a similar attack that allowed a security researcher to execute unauthorized code inside their networks." https://t.co/TdHjHg4oKn
— Martijn Rasser (@MartijnRasser) March 7, 2021

A new type of supply-chain attack with serious consequences is flourishing https://t.co/j6w62R0cmz
— The Cyber Security Hub™ (@TheCyberSecHub) March 6, 2021

“The goal of these attacks is to execute unauthorized code inside a target’s internal software build system. The technique works by uploading malicious packages to public code repositories and giving them a name that’s identical to a stored package”https://t.co/4b7M7HVCry
— John Hemmings (@JohnHemmings2) March 6, 2021

Sonatype에 따르면 의존성 혼동을 악용한 패키지가 npm에 5,000종 이상이고 합니다. https://t.co/ISUuf5S9Qe
— ?라루얀 / 말썽쟁이 구운 경단 ? (@LaruYan) March 7, 2021

permanent link

Reply with curations

Related

Featured