Open Source Security: Google and OpenSSF Want to Limit Risks

Google has detailed some of its efforts to find bundles of malicious code introduced in large free software projects.

Automatic packet analysis

The Packet Analysis Project is one of the Linux Foundation’s Open Source Security Foundation (OpenSSF) software supply chain initiatives. This should automate the process of identifying malicious packages distributed in popular package repositories such as npm for JavaScript and PyPl for Python.

It performs dynamic analysis of all packages uploaded to popular open source repositories. The aim is to provide data on the main types of malicious packages and to inform people working in open source supply chain security on how best to improve it.

“Unlike mobile app stores that can scan and reject malicious contributions, package repositories have limited resources to review the thousands of daily updates and must maintain an open model where anyone can freely contribute. As a result, malicious packages like ua-parser-js and node-ipc are regularly pushed to popular repositories despite their best efforts, with sometimes devastating consequences for users,” says Caleb Brown of Google’s free software security, in a report. blog post. “Despite the essential role of free software in all software built today, it is very easy for malicious actors to circulate malicious packages that attack systems and users. »

essential links

The Packet Analysis Project identified over 200 malicious packages in one month, according to OpenSFF. For example, he found Discord token-stealing attacks on packages distributed on PyPl and npm. The PyPl package “discordcmd”, for example, attacks Discord’s Windows client via a backdoor uploaded to GitHub and installed in the Discord app to steal its tokens.

Attackers distribute malicious packages on npm and PyPl often enough that OpenSSF, of which Google is a member, decides to act.

In March, researchers discovered hundreds of malicious npm packages used to target developers using Microsoft’s Azure cloud, most of which contained typosquatting attacks and dependency confusion. These two types of attacks are social engineering: typosquatting consists of delivering an almost similar malicious package on the platform with a very similar name in order to take advantage of the victim’s inattention. Dependency confusion attacks rely on abnormally high version numbers for a package that, in fact, may not have a previous version available.

More fear than harm

OpenSSF says that most malicious packages detected are dependency confusion and typosquatting attacks. But the project believes most of them are likely the work of security researchers who participate in bug bounties.

“Packages found usually contain a simple script that runs during installation and contacts a command server with some details about the infected machine. These packages are likely the work of security researchers looking for bug bounties, as most of them do not exfiltrate any significant data except the machine name or a username, and do not attempt to hide their behavior,” explain OpenSSF and Google. .

OpenSSF notes that any of these packages “could have a much more devastating effect on victims who installed them, which is why package analysis provides a countermeasure to these types of attacks.”

The recent Log4j failure highlighted the general security risks of the open source software supply chain. The component has been embedded in tens of thousands of enterprise applications and has led to a massive and urgent US government cleanup. Last week, Microsoft also highlighted the role of software supply chain attacks by Russian state-backed hackers in military attacks on Ukraine.

Last February, Google and Microsoft injected $5 million into OpenSSF’s Alpha-Omega project to address supply chain security. The Alpha stream works with the maintainers of the most critical open source projects, while the Omega stream will select at least 10,000 widely deployed open source programs for automated security analysis.


Leave a Comment