Supply Chain Attack
If I told you to
- go and download some code from the internet
- created by someone you have never met and do not know
- unpack this code
- and run it on your computer without looking at its source
Would you do it?
- running it on your company servers?
- or in you CI pipelines during production deployment?
How about
Would you do it?
Multiple times
We do it every single day
That's how the ecosystem around packages and package managers work
The whole "package" managers ecosystem is built on trust.
We blindly trust package maintainers
that their code is safe.
Supply Chain Attack
abuses this trust
My computer
Registry
give me
package Foo
in version 1.2.3
sure, here it is
Foo
1.2.0
Foo
1.2.1
Foo
1.2.3
Foo
1.2.2
Foo
1.2.4
Foo
1.2.3
How package manager works?
My computer
Registry
give me
package Foo
in version ~1.2.3
sure, here it is
Foo
1.2.0
Foo
1.2.1
Foo
1.2.3
Foo
1.2.2
Foo
1.2.4
Foo
1.2.4
How package manager works?
- Attacker gains an access to the registry acting as a verified package maintainer
- Publishes new version of a package containing malicous code
- The package can get installed and executed by trusting developers all around the world
Supply Chain Attack
They usually steal login credentials
or auth tokens
- targeted phishing campaigns
- by gaining access to maintainer devices through another methods (code injection, malware...)
How attacker gets access to the registry?
It depends
In case of NPM it is usualy few hours until someone notices
Few hours is a plenty of time to infect thousands of devices
How long is the package with malicous code available?
How to defend ourselves?
We can only minimize our exposure
- disallow automatic code run of just installed package ("postinstall" scripts in case of NPM)
- lock your versions using lock files (package-lock.json, yarn.lock...)
- do not allow automatic updates (specify exact versions without ~, ^, >= and similar operators
- run `npm audit` periodically, ideally in your CI pipelines
- use 3rd party services to scan for vulnerabilities
