Supply Chain Malware

[stratofax]

This week, two separate supply chain hacks were discovered on PyPi.org. From BleepingComputer.com - Technology news:

• Popular Python and PHP libraries hijacked to steal AWS keys by replacing "the older, safe versions of [the PyPi.org package] 'ctx' with code that exfiltrates the developer's environment variables, to collect secrets like Amazon AWS keys and credentials."
• Malicious PyPI package opens backdoors on Windows, Linux, and Macs with a typo-squatting attack, where a "malicious package named 'pymafka' ... The name is very similar to PyKafka, a widely used Apache Kafka client."

In both cases, the packages were removed from the PyPi.org registry, but not before several hundred (or more) developers downloaded the packages.

This list is not comprehensive, and may not even cover all of the malicious code on PyPi that was discovered this week, to say nothing of all of the malicious code that's still there in the PyPi.org registry, yet to be discovered.

The issue for OSET is simple: these kinds of supply chain injections could be immensely damaging to the security of OSET code, and OSET's reputation.

This is not just a language specific problem for Python, but for any language that allows developers to download code from public registries or repositories. Similar attacks, for example, have plagued npm within the last year, as well:

• Popular UA-Parser-JS NPM library hijacked to install password-stealers, miners in October of 2021.
• Popular 'coa' and 'rc' NPM libraries hijacked to steal user passwords in November of 2021.

What are some of the ways OSET can prevent these kinds of attacks? Post your ideas here.

[stratofax]

The repo tag-security/supply-chain-security/compromises at main · cncf/tag-security contains samples of most types of supply chain hacks.

[windoverwater]

Yeah - supply chain malware is probably a whole security domain at this point. There are things like https://github.com/ossillate-inc/packj and https://github.com/marketplace/actions/owasp-dependency-track-check

And there are even meta attacks like https://blog.checkpoint.com/2022/08/03/github-users-targeted-in-supply-chain-attack/

Another reason to add OWASP and/or other scans to the CI pipeline (before PRs are reviewed)

[stratofax]

Can we automate the use of OWASP?

[windoverwater]

Well, I have only been using Jenkins for the past N years and with that it was straight forward. It seems to be a little bit more home grown in github but ultimately still do-able - we should be able to minimally build a docker image and run that as an action/workflow when a PR is created and after a merge to master.

[windoverwater]

FWIIW - starting playing around with native github dependency (supply chain) scans (CodeQL) and dependabot (automatic dependency version updater). Still (a lot) more to understand but it seems like CodeQL is what 'people' are using instead of OWASP on github. ? From a distance it seems fine. Does anyone have more experience with CodeQL? Here a few links for VoteTracker+ which is where I am spelunking:

This list of dependencies CodeQL finds: https://github.com/TrustTheVote-Project/VTP-root-repo/network/dependencies

Vulnerability page: https://github.com/TrustTheVote-Project/VTP-root-repo/security/code-scanning

[stratofax]

That dependency report seems pretty tight! How long does it take to run? Should we make it part of the standard PR scan?

[windoverwater]

It seems to take about 5 minutes or so to run. I am still trying to come up to speed on dependabot, actions, and workflows, but I think the answer to the second question is yes.

Also, I have started to receive these types of security alerts for all of TTVP - there seems to be a lot of CVE violations in a lot of repos. Do you guys get them?

[ion-oset]

No. Or at least not yet, since we should. When you are ready to explain it how the dependency report works we can get that set up, and start receiving them.

[windoverwater]

Arg - may have used the wrong email addresses - here is an open link to the gdoc copy of the article: https://drive.google.com/file/d/1-MOSYQ-vxDDvynw0zLDYKM3BXxeKhGrk/view?usp=sharing

[windoverwater]

FYI - got this today - sending it as you guys may not have the access rights into security issues in the repo

[ashishbijlani]

Nice to see Packj being mentioned. I'm the author. Hello!

I'd be happy to demo and work with you to integrate the Github plugin that audits PRs for malicious/"risky" packages. Only looking for feedback on how to improve the tool. Thanks!