Open source security: Google and OpenSSF want to limit the risks

Google has detailed some of its efforts to find bundles of malicious code introduced into major free software projects.

The Packet Analysis Project is one of the Linux Foundation’s Open Source Security Foundation (OpenSSF) software supply chain initiatives. This should automate the process of identifying malicious packages distributed on popular package repositories, such as npm for JavaScript and PyPl for Python. It performs dynamic analysis of all packages uploaded to popular free software repositories. It aims to provide data on the main types of malicious packages and to inform people working on open source supply chain security on how best to improve it.

Essential links

“Unlike mobile app stores which can scan and reject malicious contributions, package repositories have limited resources to review the thousands of daily updates and must maintain an open model where anyone can contribute freely. Therefore , malicious packages such as ua-parser-js and node-ipc are regularly uploaded to popular repositories despite their best efforts, with sometimes devastating consequences for users,” says Caleb Brown of the security team at free software from Google, in a blog post.

“Despite the essential role of free software in all software built today, it is far too easy for malicious actors to circulate malicious packages that attack systems and users.”

The Packet Analysis Project identified more than 200 malicious packets in a month, according to OpenSFF. For example, he found Discord token theft attacks on packages distributed on PyPl and npm. The “discordcmd” PyPl package, for example, attacks Discord’s Windows client via a backdoor uploaded to GitHub and installed on the Discord app to steal Discord tokens.

Attackers distribute malicious packages on npm and PyPl often enough that OpenSSF, of which Google is a member, decides to take action.

In March, researchers discovered hundreds of malicious npm packages used to target developers using Microsoft’s Azure cloud, most of which contained typosquatting and dependency confusion attacks. These two types of attacks are social engineering: typosquatting consists of offering an almost similar malicious package on the platform with a very similar name, in order to take advantage of the victim’s inattention . Dependency confusion attacks rely on abnormally high version numbers for a package that, in fact, may not have an earlier version available.

More fear than harm

OpenSSF says most of the malicious packages it detected were dependency confusion and typosquatting attacks. But the project believes that most of them are probably the work of security researchers participating in bug bounty.

“Packages found usually contain a simple script that runs during installation and contacts a command server with some details about the infected machine. These packages are most likely the work of security researchers looking for bug bounty since most of them don’t exfiltrate any meaningful data except the name of the machine or a username, and they make no attempt to conceal their behavior,” explain the OpenSSF and Google.

OpenSSF notes that any of these packages “could have had a far more devastating effect on the victims who installed them, which is why packet analysis provides a countermeasure to these types of attacks.”

The recent Log4j flaw highlighted the general security risks of the open source software supply chain. The component was embedded in tens of thousands of enterprise applications and prompted a massive and urgent cleanup from the US government. Last week, Microsoft also highlighted the role of software supply chain attacks by Russian state-backed hackers in the military attacks on Ukraine.

Last February, Google and Microsoft injected $5 million into OpenSSF’s Alpha-Omega project to tackle supply chain security. The Alpha stream works with the maintainers of the most critical open source projects, while the Omega stream will select at least 10,000 widely deployed open source programs for automated security analysis.

Source: “”

Leave a Comment