An automated attack within the NuGet open source ecosystem for .NET developers has resulted in a flood of malicious packages containing links to phishing campaigns.
That’s according to a joint report on Wednesday from Checkmarx and Illustria, which, upon digging deeper, found that automated attacks are taking aim on a broad level, against users of the npm, NuGet, and PyPI software developer ecosystems.
The attack vector in the NuGet ecosystem involves the use of automated processes to create a large number of packages with names and descriptions designed to lure those interested in hacking, cheats, and free resources. These contain links to phishing campaigns built to steal personal information or other sensitive data.
The scale of this attack is unique, according to the report, because it involves the creation of over 144,000 packages by the same threat actor — a significantly larger number of packages than is typically seen in such attacks, making it an especially large and significant event.
“The use of automated processes to create the packages and user accounts makes it difficult for security teams to identify and take down the packages,” Jossef Harush, head of supply chain security engineering at Checkmarx, tells Dark Reading.
Harush adds, “This makes the attack more dangerous and harder to defend against. It also highlights the need for organizations to be vigilant and take steps to protect themselves against these types of attacks.”
Automation: Improving Efficiency, Reducing Risk to Hackers
Harush explains the attackers likely invested in automation to poison the NuGet, PyPI, and npm ecosystems because it allows them to create a high volume of packages and user accounts in a short amount of time.
“This allows them to spam the open source ecosystem with many packages, potentially reaching a significant number of users and increasing the likelihood that they will fall victim to the phishing campaigns,” he says.
Additionally, because the use of automation makes it difficult for security teams to identify and take down the packages, the attackers can continue their campaign for a longer period.
“Automation also reduces the risk of the attackers being caught and allows them to operate more efficiently and with less risk,” Harush notes.
Malicious Packages: Key Preventive Measures
In addition to monitoring networks for signs of the phishing campaigns and other suspicious activity, and educating employees about the importance of being cautious when downloading packages from open source ecosystems, businesses should consider security tools and services to help identify and protect against such threats to their software supply chains.
“Security postures against software supply chain attackers need to evolve in several ways to better defend against these threats,” Harush says. “First, the package managers need to improve their ability to detect and prevent the publication of malicious packages to open source ecosystems like NuGet, PyPI, and npm.”
He explains this may involve the use of technology to monitor these ecosystems and identify suspicious activity, as well as the development of better security practices and processes for identifying and responding to threats.
Harush points out that overall security postures against software supply chain attackers need to be more proactive, adaptable, and collaborative to effectively defend against these threats.
“This may involve a combination of technology, processes, and people working together to identify and respond to these threats in a timely and effective manner,” he says.
A recent report from Google also noted that security leaders should take a more holistic approach to addressing supply chain risks, and should work to implement the Supply Chain Levels for Software Artifacts (SLSA) framework when building software to ensure better software security and integrity.
