Published on 11 Jan 2023
There have been reports of cybercriminals creating malicious counterfeits of legitimate dependencies by attempting to populate package manager and container repositories with malicious codes and images. Below are some of the recent cases involving the introduction of vulnerabilities into the system through malicious third-party dependencies:
Inadvertent download and deployment of malicious dependencies in enterprise projects will pose a significant risk to enterprises and may lead to data exfiltration. As such, developers are advised to stay vigilant and adopt good cyber hygiene measures when downloading and deploying third-party dependencies.
Some common techniques conducted by cybercriminals to trick developers into downloading malicious dependencies are outlined below:
Typosquatting
Malicious dependencies may attempt to disguise as legitimate dependencies by using a similar but misspelt name, attempting to trick unsuspecting developers to inadvertently install these malicious packages.
Examples of Typosquatting:
“Jeilyfish” in PyPI is a misspelling of the legitimate dependency “Jellyfish”
“electorn” in npm is a misspelling of the legitimate dependency “electron”
Brandjacking
Cybercriminals may impersonate a trusted organisation by using the same naming convention or other characteristics specific to the organisation, to gain the trust of victims and trick them into downloading the malicious dependencies.
Dependency Confusion
Cybercriminals may publish malicious public dependency packages with the same name but with a higher version number to take advantage of the default behaviour of the package manager to force download the malicious dependency packages.
Precautionary Measures when Using Third-party Dependencies
Developers may wish to adopt the following precautionary measures to protect themselves and their organisations from malicious dependencies:
For more information, please refer to:
https://www.hkcert.org/blog/beware-of-malicious-or-vulnerable-third-party-dependencies
https://heimdalsecurity.com/blog/malicious-pypi-packages-used-to-mine-cryptocurrency/
https://www.zdnet.com/article/malicious-npm-packages-caught-installing-remote-access-trojans/
https://unit42.paloaltonetworks.com/malicious-cryptojacking-images/
https://snyk.io/series/open-source-security/software-dependencies/
https://thehackernews.com/2023/01/hackers-distributing-malicious-visual.html