Multiple security vulnerabilities have been disclosed in popular package managers that, if potentially exploited, could be abused to run arbitrary code and access sensitive information, including source and code. access notifications, from compromised machines.
However, it should be noted that the vulnerabilities require targeted developers to deal with a malicious package in conjunction with one of the affected package managers.
“This means that an attack cannot be performed directly against a remote developer’s machine and requires the developer to be tricked into downloading erroneous files,” said SonarSource researcher Paul Gerste. form. “But can you always know and trust the owner of all the packages you use from the internet or the company’s internal repositories?”
Package managers refer to systems or a set of tools used to automatically install, upgrade, and configure third-party dependencies required for application development.
While there are inherent security risks with rogue libraries seeking to package repositories – requiring dependencies to be thoroughly tested to guard from typographical attacks and dependency confusion – “the act of managing dependencies is not generally considered a potentially risky activity.”
But newly discovered problems in various package managers highlight that they can be weaponized by attackers to trick victims into executing malicious code. Bugs have been identified in the following package managers:
Composer 1.x Chief among the weaknesses is a command injection vulnerability in Composer’s browse command that could be abused to execute arbitrary code by injecting a URL into a published malicious package.
If the package uses typo or dependency confusion, it can lead to a situation where running the browse command for the library can result in the retrieval of a payload at a later stage which can then be used to launch subsequent attacks.
Extra argument inclusion and untrusted search path vulnerabilities discovered in Bundler, Poetry, Yarn, Composer, Pip, and Pipenv mean that a bad guy could execute code using a git executable contains software Malicious or attacker-controlled files such as Gemfiles are used to specify dependencies for Ruby programs.
Following the responsible disclosure on September 9, 2021, fixes were released to address issues in Composer, Bundler, Bower, Poetry, Yarn, and Pnpm. But Composer, Pip, and Pipenv, all three affected by the untrusted search path vulnerability, chose not to address the bug.
“Developers are an attractive target for developers,” says Gerste Cybercrime because they have access to a company’s core intellectual property: the source code. Compromising with them allows attackers to spy or embed malicious code in company products. This could even be used to prevent supply chain attacks.”