The Hitchhiker's Guide to Malicious Third-Party Dependencies

TL;DR

This paper analyzes how malicious actors exploit package managers across seven ecosystems to execute arbitrary code, highlighting techniques, evasion strategies, and providing recommendations to mitigate supply chain attack risks.

Contribution

It identifies and categorizes 7 attack techniques in package ecosystems and offers mitigation strategies, advancing understanding of supply chain security vulnerabilities.

Findings

Identified 3 install-time attack techniques.

Identified 4 runtime attack techniques.

Provided proof-of-concept demonstrations.

Abstract

The increasing popularity of certain programming languages has spurred the creation of ecosystem-specific package repositories and package managers. Such repositories (e.g., npm, PyPI) serve as public databases that users can query to retrieve packages for various functionalities, whereas package managers automatically handle dependency resolution and package installation on the client side. These mechanisms enhance software modularization and accelerate implementation. However, they have become a target for malicious actors seeking to propagate malware on a large scale. In this work, we show how attackers can leverage capabilities of popular package managers and languages to achieve arbitrary code execution on victim machines, thereby realizing open-source software supply chain attacks. Based on the analysis of 7 ecosystems, we identify 3 install-time and 4 runtime techniques, and we provide recommendations describing how to reduce the risk when consuming third-party dependencies. We will provide proof-of-concepts that demonstrate the identified techniques. Furthermore, we describe evasion strategies employed by attackers to circumvent detection mechanisms.