Welcome to This Week in Supply Chain Security, your essential weekly resource for the latest developments in software supply chain security. Each week, we bring you critical insights and updates to help you stay ahead in safeguarding your software supply chain. Brought to you by the open source security experts at Stacklok.
šØ Recent Security Incidents
A selection of the most impactful security breaches or threats in supply chains
Attack of the Zombie Packages
JFrog highlighted a security risk related to the PyPI registry. Dubbed āRevival Hijackā, malicious actors can immediately claim a package name which has been deleted from the PyPI registry, and upload new versions of the package which may be downloaded by existing users of the original package. JFrog estimates that about 22 million packages may be affected; this problem was also reported last year by Reversing Labs last year.
DPRK Attackers At It Again
Stacklok (my employer) located another DPRK crypto-developer supply chain targeting scheme. The attacks appear to be part of a social engineering job-interview campaign as well as capitalizing on typosquatting some popular libraries in the NPM crypto ecosystem. The end result, as usual, is an information stealer for cryptocurrency wallets, keylogging and clipboard stealing, and a remote code execution agent; this one primarily targeting MacOS users.
And Againā¦
In a fairly terse report, Phylum also reported discovering a number of malicious NPM packages with malware downloaders associated with the DPRK. The Phylum-reported malware was associated with Windows targets, rather than the Mac targets in the Stacklok report. If youāre in crypto development, itās probably best to double or triple-check any job / collaboration offers.
GitHub Actions Typosquatting
Orca Security implemented a PoC highlighting the risk of typos in the names of GitHub Actions. By registering organization names like circelci
and actons
, Orca was able to monitor how many public repositories depended on the action. They also observed that at least one other organization had registered aws-action
and explicitly called it out as a typosquatting testing organization. The ābest practiceā recommendations are a bit weak ā try not to typo the names, and then check that the repos have the expected numbers of stars and forks.
Fake Stars for Sale
Socket highlighted some research from a summer intern that uncovered 3.7 million fake GitHub stars based on analysis of clusters of star-ing activity. Fake stars can be purchased on the underground market, and the accounts involved sometimes also star legitimate product to hide their bot activity. Overall, 11% of repositories which benefitted from fake star campaigns remain active on GitHub, along with 18% of accounts contributing.
Yubikey Physical Attack
Researchers at NinjaLab discovered a private key leak from Yubikey and other vendors based on Infineon Technologies hardware and libraries. For security reasons, the Yubikey firmware on many of these devices non-upgradeable, meaning that the upgrade path is hardware replacement. On the not-so-bad side, it requires physical access to the device and specialized hardware to extract the keys, and most of the benefit of device second factor is in protection from remote attackers (phishing and the like). Donāt throw out your Yubikeys just yet!
The Comment Said This Would Fix Things
Both Daniel Stromberg and Socket have called out a wave of spam comments linking to password-protected malware hosted on Mediafire. This looks like a very low-effort campaign, with many of the messages saying āto fix your trouble check this fix, I see it in another issueā and āWhen you install, select āgccāā or the like. Despite that, apparently at least one GitHub user actually fell victim to the spam; it also caused a bunch of cleanup work for repo maintainers to clean up the comments. (Seriously, donāt download password-protected archives because someone in a comment told you to do so!)
AI-Driven Comments? What Could Go Wrong?
Researchers at Kudelski Security analyzed the PR-Agent open-source tool which can provide AI-powered summaries of pull requests on GitHub and GitLab, and found a number of security issues. On the GitLab side, it was possible to trigger PR-Agent to insert quick action comments (like /approve
) which might execute with elevated privileges compared with the commenting attacker. On the GitHub and GitLab side, it was also possible to change PR-Agent configuration options through markdown comments and use the changed configuration to exfiltrate sensitive data like API keys or other secrets.
Jenkins File Read to Remote Code Execution
In a somewhat-surprising privilege escalation, Conviso researchers analyzed CVE-2024-43044 in Jenkins, and were able to build an attack which escalated remote file read access from a Jenkins agent (name and secret) into remote code execution. The post is an interesting read, but basically they were able to extend remote file read into reading long-term credentials for Jenkins administrators, and then escalate to that role to achieve remote code execution. Patch your Jenkins servers!
Roblox Developers Targeted By NPM Malware
Checkmarx has found yet more packages attempting to imitate noblox.js
to install malware. The new packages attempt to combine a number of disguise techniques (starjacking, typosquatting, and obfuscated postinstall script) to deliver a remote access trojan. Not explained is why these attackers are so persistently targeting Roblox developers.
WordPress Plugins Are Easy Pickings
Eddie Zhang was able to find 14 CVEs in Wordpress plugins in a trio of afternoons simply by hooking up static analysis security tools (Semgrep) to all the WordPress plugins with at least one upload in the last 2 years. Eddie limited his search to local file inclusion and SQL injection rules, and limited himself to 5 minutes of triaging per āinterestingā finding. Overall, he was able to validate his CVEs against actual installs and about half of his reported findings seem to have been fixed. Eddie suspects there are more issues ā this was more about being able to find issues quickly and cheaply.
š” Free Tools and Tips
New open-source and free (as in beer) supply chain security tools
bomctl: Control Your SBOMs
The OpenSSF announced bomctl
, a Swiss Army Knife tool for reading and manipulating SBOM information in a variety of formats. The initial project has been developed by Lockheed Martin with additions from Scribe Security and Defense Unicorns, building on the protobom project. The project aims to enable compatibility and translation between different SBOM standards (CycloneDX and SPDX, primarily), as well as managing linkages between SBOMs.
If Youāre Going To Leak A Token, Donāt Do It On GitHub
A fun bit of research from Cybenari ā they intentionally leaked a set of AWS-looking canary tokens onto a number of different services, from GitHub and GitLab to self-hosted webservers, package managers, and cloud storage buckets. Tokens leaked to NPM, PyPI, and GitHub all had usage within about 2 minutes of the leak, while Pastebin was almost an hour, and DockerHub public images took 7 days for the initial access attempt. GitLab and BitBucket tokens werenāt accessed at all, nor were cloud storage buckets that didnāt have some other external reference.
š Community and Public Sector Updates
No Degree? No Problem
The US Office of the National Cyber Director has announced that cyber-defense jobs in the federal government will be moving from degree-based requirements to skill-based requirements. The goal is to reduce artificial barriers to entry, and to support recruiting cyber-defense talent who may have entered the workforce through nontraditional paths. Having worked with some excellent colleagues who had not finished high school, I support this move.
SBOMs? The Army Is Getting Serious
On the āmaking it harder to spend federal dollarsā front, the Army has issued a memo that new non-cloud software acquired next year will need to include an SBOM. You may have thought that EO14028 in 2021 would have already required this change, but apparently itās taken 3 years of study to determine what requiring an SBOM (or god forbid, a cryptographically signed attestation) would mean for the Army.
Thatās all for this week! See you next Thursdayā¦