Typosquatting: One favorite tactic of threat actors trying to infect the open source software supply chain is typosquatting, the creation of packages with names similar to those of legitimate ones to trick unwitting developers searching for a particular library. For example, in 2018 a researcher found that threat actors had created phony libraries in the Python repository called ‘diango,’ ‘djago,’ ‘dajngo,’ to dupe developers seeking the popular ‘django’ Python library.CISOs should ensure that employees are educated about the issue of typosquatting and learn what to look for. IT departments should keep a comprehensive inventory of what components are used by all approved software against which audits can be conducted, to ensure only approved components are in place. This inventory and audit should be performed to validate any new components that are introduced.
What more to do?: There’s no shortage of advice for developers and IT and infosec leaders to help them avoid being victimized by malicious packages in open source repositories.One tactic is to include a software bill of materials in every application an IT department acquires. With it, the DevOps/DevSecOps teams can track software components, identify vulnerabilities, and ensure compliance. In 2021, the US Cybersecurity and Infrastructure Security Agency (CISA) and the US National Institute for Standards and Technology (NIST) published an advisory, Defending Against Software Supply Chain Attacks, providing advice for creating secure open source apps. It starts with the creation of a formal supply chain risk management program to ensure that supply chain risk receives attention across the organization, even among executives and managers within operations and personnel across supporting roles, such as IT, acquisitions, legal, risk management, and security.An organization can reduce its software attack surface through configuration management, the advisory says, which includes:
placing configurations under change control;conducting security impact analyses;implementing manufacturer-provided guidelines to harden software, operating systems, and firmware;Ӣ maintaining an information system component inventory.In addition, the Open Source Web Application Security Project (OWASP) offers this advice to developers using npm:
always vet and perform due diligence on third-party modules that you install to confirm their health and credibility;hold off on immediate upgrades to new versions; allow new package versions some time to circulate before trying them out.before upgrading, make sure to review changelogs and release notes for the upgraded version.when installing packages, make sure to add the ignore-scripts suffix to disable the execution of any scripts by third-party packages.consider adding ignore-scripts to the .npmrc project file, or to the global npm configuration.Finally, Andrew Krug, Datadog’s head of security advocacy, offered these additional tips:
give developers the ability to install real-time package scanning at installation;guard against typosquatting and dependency confusion by prioritizing the use of internal package repositories as a guardrail for approved packages;maintain software bills of materials;Deploy SCA (software composition analysis) at every phase of the software development lifecycle. Traditional SCA tools only periodically analyze code snapshots, he said, but effective detection must be complemented with real-time visibility into deployed services, including production, to reprioritize issues and focus on those exposed in sensitive environments.This article originally appeared on InfoWorld.
First seen on csoonline.com
Jump to article: www.csoonline.com/article/4086415/malicious-npm-packages-contain-vidar-infostealer-2.html
