Dependency-based attacks

In 2003 Elias Levy published in the IEEE Security & Privacy Journal a prediction about supply chain attacks, attacks where malicious code is injected into a software vendor's product dependency. Today this has already become a reality, as current software projects generally use several open source packages and these introduce several transitive dependencies.

A great example of this type of attack was the 2017 cyberattacks in Ukraine, a cyberattack using Petya malware to update a Ukrainian tax accounting package called MeDoc. MeDoc being very popular in Ukraine made the attack take on worldwide proportions causing damage of billions of dollars and becoming one of the biggest cyberattacks today.

A single open-source package can be used by thousands of other applications and packages, which makes them a target for malicious users. In 2018 a malicious user injected malicious code into an npm package called event-stream, this package is used by approximately 1600 other packages and receives more than 1 million weekly downloads.

Analysis of dependency-based attacks in NodeJS

In May 2020, Marc Ohm, Henrik Plate, Arnold Sykosch, Michael Meier published a paper called Backstabber's Knife Collection: A Review of Open Source Software Supply Chain Attacks. In that article, they analyzed 174 malicious software packages that were used in real-world attacks on open source software supply chains, of which 174 packages were NPM packages.

This paper shows interesting aspects about malicious software packages in NPM. It was identified that 60% of malicious packages started their routines during the installation routine. This can be triggered by the package repositories’ install command, e.g. npm install . That invokes code as defined in the package’s definition, e.g. package.json.

Another important aspect to see is how malicious code is injected into these packages. It is shown that 50% malicious of packages mimic existing packages ’names via typosquatting. The second most used method was the infection of an existing package, may often be achieved with compromised credentials for the repository system.

The main objective of these attacks is the exfiltration of data, in 60% of the attacks this was the main objective. Commonly, the data of interest is the content of / etc / passwd, ∼ / .ssh / *, ∼ / .npmrc, or ∼ / .bash history. Furthermore, malicious packages try to exfiltrate environment variables (which might contain access tokens) and general system information.