Pseudonymous authors published more than 150 copycat packages just three days after Sonatype published research around a software supply chain flaw, attempting to exploit the vulnerabilities in the brief window before a patch.
Ethical hacker and security researcher Alex Birsan posted a blog on Feb. 9 that detailed how he used dependency, or namespace confusion, “to push his malicious proof-of-concept (PoC) code to internal development builds of over 35 major tech organizations including Microsoft, Apple, Tesla, Uber and others.” Sonatype released its own analysis of his findings, the company said.
Within 48 hours of reports emerging on Birsan’s findings, Sonatype’s automated malware detection systems, part of Nexus Intelligence, began flagging over 150 copycat npm packages published by different authors,” imitating Birsan’s PoC research, the company said. “We are actively seeing more of these packages coming in every few hours.”
When lapses like these occur, "attack channels feel new and get a lot more attention: first from those chasing bug bounties, and second from a likely wave of actual attacks," Sonatype chief technology officer Brian Fox told SC Media via email. "I anticipate that some of these bad actors will pose as the first wave of ethical researchers, possibly even declaring their components to be 'for security research' while actually being malicious."
Namespace confusion isn’t a new attack channel for hackers, he noted, adding that the attack vector has been tracked for more than 16 years "What Birsan’s research highlights is the sacrifice to security that comes from the age-old dilemma between repository managers and developers."
The tension between repository safeguards like namespace verification, and ease of use for developers, Fox said, "left an opportunity for namespace confusion’s resurgence, which is what we’re seeing now."
Birsan posted that he was “able to automatically scan millions of domains belonging to the targeted companies and extract hundreds of additional javascript package names which had not yet been claimed on the npm registry” then uploaded his code “to package hosting services under all the found names and waited for callbacks.”
Calling the success rate “simply astonishing,” Birsan wrote: “From one-off mistakes made by developers on their own machines, to misconfigured internal or cloud-based build servers, to systemically vulnerable development pipelines, one thing was clear: squatting valid internal package names was a nearly sure-fire method to get into the networks of some of the biggest tech companies out there, gaining remote code execution, and possibly allowing attackers to add backdoors during builds.”
Microsoft took aim this issue, releasing a vulnerability identifier (CVE-2021-24105) for its Azure Artifacts product on Patch Tuesday.