Cybercriminals seek strategies to achieve their objectives: in some cases, it is users’ information; in others, connections; sometimes they generate networks of computers under their control (botnets), etc. Any user is a potential victim, but if, in addition, they can get others to distribute their malicious code without knowing it, we are talking about an invaluable gain for criminals.
Therefore, they have realised that infiltrating malicious code into packages that developers use to generate their projects is a very effective way of spreading it to as many victims as possible, as well as benefiting from anonymity.
In this way, every time a developer, anywhere in the world, uses the corrupt package that was leaked inside the library in any kind of code, he will distribute the malicious segment and making the traceability will be almost impossible, since there are libraries that have been downloaded millions of times.
In the last year several samples of this practice have been found using mainly NPM library packages and Python library packages. Criminals used different techniques to hide their actions and bypass the controls in these libraries, let’s see which ones
What Are the Techniques Used by Cybercriminals?
Although the techniques are diverse, we are going to focus on those that, after their detection, could be shown that they had been available in the libraries for a long time:
- Typosquatting: as we have previously mentioned, this technique is used in various types of computer attacks and is based on modifications in the names of the packages that confuse users or loading one of these malicious codes after a typing error.
The clearest example of this method was presented in the PyPi library of Python where two malicious packages were detected that used name mutations for their propagation, as in the case of jeIlyfish with jellyfish. This name mutation was intended to obtain the SSH authentication keys on the different servers or computers where any development using this package was installed
These packages were available for over a year in the PyPi library, where they were downloaded more than a hundred thousand times, which gives the attacker a wide impact and dispersion in terms of possible targets, as this code may still be used in some business or home developments that are not properly maintained or monitored.
- Brandjacking: this type of attack takes advantage of the importance of a package to create a mutation or simulation of it. The main difference with the previous technique is that it does not appeal to the possible error of a developer when typing the requirement into the code, but creates a package that has exactly the same name but usually adds the name of the language that is being worked on.
In the NPMjs library packages this technique has been detected several times, using packages like twilio, which has about 500 thousand downloads, to create a malicious package that uses its recognition to supplant it with the twilio-npm package, which with only 3 days online achieved 371 downloads.
These two basic examples show that criminals are always looking to deploy their malicious code using various mechanisms, demonstrating that they can put at risk any user with or without computer or information management knowledge.
This also confirms that it is vital that development companies look for mechanisms to detect these strategies, complying with methodologies that guarantee safe development in order to minimise that this type of threat is exploited and endangers users.
As for the companies behind this type of development language, internal and community efforts are being made to detect these threats in the shortest possible time. An example of these alliances is the OSSF (Open Source Security Foundation), of which we are an active part, that seeks to develop tools and communication with the aim of improving the security of the developments and that the computer development companies have references or elements to validate the life cycle of their developments.
