Explore the world of software supply chain attacks and learn how to defend against them in this 42-minute conference talk from nullcon. Dive into the sophisticated techniques used by bad actors, such as typo-squatting, repo-jacking, and social engineering, to infiltrate open-source package managers like NPM and PyPI. Discover PACKJ, a data-driven security analysis framework designed to measure and control potential supply chain risks when adopting open-source packages. Learn about the framework's use of static code analysis, dynamic tracing, and metadata checks to detect risky attributes in packages. Gain insights into various attack techniques, including dependency confusion and account hijacking, and understand why manual vetting and vanity stats are insufficient for package security. See a demonstration of the PACKJ tool in action, detecting risky packages and mitigating supply chain attacks, and explore real-world examples like the Colors and Faker attack from January 2022.
Unearthing Malicious and Risky OpenSource Packages Using Packj
Overview
Syllabus
Intro
Open-source software is everywhere
Package Managers
Package Installation today - dependency hell
Software Supply Chain Attack
Attack Techniques: Typosquatting
Technique: Social Engineering
Technique: Dependency Confusion
Technique: Account Hijacking
How do we defend against these attacks?
Manual Vetting is infeasible
Vanity Stats are not enough
Packj: a dev-friendly vetting tool
Deep Metadata Analysis
Rigorous API Analysis
Runtime Analysis
Remote Code Execution Attack
Dependency Confusion Attack - Feb 2021
Colors and Faker Attack - Jan 2022
Taught by
nullcon
