Security researcher finds it’s easy to confuse build systems with malicious versions of private software libraries
Bug hunter Alex Birsan last year managed to compromise the software supply chain of 35 companies by exploiting packaging mechanisms used by JavaScript, Python, and Ruby developers. In a write up posted on Tuesday, Birsan recounts how he managed to distribute proof-of-concept malicious code through the npm Registry, PyPI (Python Package Index), and RubyGems, which are used by developers to install software libraries that add functionality to their applications. Integrating third-party software libraries from public registries requires a high degree of trust in those creating and uploading software packages, trust has frequently been abused through techniques like typosquatting or compromising a library maintainer’s account. These packaging systems are public in that any developer can add specific package names to their code and load those libraries from a remote repository into the environment where the app that contains the modules will run. But they also allow for private dependencies – code libraries used internally at an organization that aren’t available to the general public. Birsan set out to see whether he could identify the names of private packages used inside companies and create malicious packages using those library names to place in the public package registries – the indexes that keep track of available software modules. The names of private packages turned out to be rather easy to find, particularly in the Node.
