Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Supply Chain Security

Open Source Package Entry Points May Lead to Supply Chain Attacks

Entry points in packages across multiple programming languages are susceptible to exploitation in supply chain attacks.

Entry points in open source packages across multiple programming languages can be abused for code execution, leading to supply chain attacks, web application security firm Checkmarx warns.

In Python, for instance, entry points are designed as a mechanism for exposing specific package functionality, enabling developers to create command-line scripts to be executed after package installation, and can be used in applications to load plugins that provide additional functionality.

“The most popular kind of entry point is console_scripts, which points to a function that you want to be made available as a command-line tool to whoever installs your package,” Checkmarx explains.

Upon package installation, entry points are recorded in the package’s metadata and other packages can query the metadata to discover and use them.

“If an attacker can manipulate a legitimate package’s metadata or convince a user to install a malicious package, they can potentially execute arbitrary code on the user’s system whenever the defined command or plugin is invoked,” the security firm says.

Attackers could rely on command-jacking, malicious plugins, and malicious extensions to exploit Python entry points to convince users to execute malicious code.

Threat actors can build malicious packages that rely on entry points to pose as popular third-party tools, targeting developers who frequently use such tools in workflows.

“For instance, an attacker might create a package with a malicious ‘aws’ entry point. When unsuspecting developers who regularly use AWS services install this package and later execute the aws command, the fake ‘aws’ command could exfiltrate their AWS access keys and secrets,” Checkmarx explains.

Advertisement. Scroll to continue reading.

Malicious packages could impersonate commands used in various development environments, such as docker, npm, pip, git, kubectl, terraform, gcloud, heroku, and dotnet. They could also impersonate system utilities by using command names such as touch, curl, cd, ls, and mkdir, among others.

While the impersonation of system utilities increases the chances of users accidentally executing the code, it also increases the risks of failure (if the entry point does not appear earlier in the package’s PATH than the system directories) and discovery (if the expected command is not executed).

To avoid suspicion, however, attackers can create entry points that act as wrappers for the original command, which will be executed along with the malicious code, thus maintaining the appearance of normal operation.

According to Checkmarx, attackers can also create seemingly helpful plugins that use the entry points of popular tools and frameworks, such as pytest, to inject malicious code.

“The malicious plugin could then stealthily run malicious code in the background during testing. The malicious plugin could also override pytest’s assertion comparison, causing, for example, all equality checks to pass regardless of their actual values, leading to false positives in test results, allowing buggy or vulnerable code to pass quality checks unnoticed,” the security firm explains.

Additionally, malicious extensions for popular development tools, such as Flake8, could target entry points, leading to harmful behavior, malicious code injection, or operation results manipulation.

Checkmarx notes that entry points can be exploited in supply chain attacks targeting major ecosystems, including Dart Pub, npm (JavaScript), NuGet (.NET), Ruby Gems, and Rust Crates.

Related: Cryptocurrency Wallets Targeted via Python Packages Uploaded to PyPI

Related: Dependency Confusion Could Have Led to RCE in Google Cloud Platform

Related: Dell Announces New Supply Chain Security Offerings

Related: Code Execution Vulnerability Impacts Linux Package Manager

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join SecurityWeek and Hitachi Vantara for this this webinar to gain valuable insights and actionable steps to enhance your organization's data security and resilience.

Register

Event: ICS Cybersecurity Conference

The leading industrial cybersecurity conference for Operations, Control Systems and IT/OT Security professionals to connect on SCADA, DCS PLC and field controller cybersecurity.

Register

People on the Move

Jared Bartel has been named CISO at Idaho State University.

Automated phishing protection and scam prevention company Bolster has appointed Rod Schultz as CEO.

Bugcrowd has appointed Trey Ford as CISO for the Americas.

More People On The Move

Expert Insights

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest cybersecurity news, threats, and expert insights. Unsubscribe at any time.