Checkmarx, this week, reported it has discovered malicious software packages that, in addition to injecting malware capable of bypassing endpoint security to exfiltrate data, also provide persistent remote access and control of desktops and servers.
Darren Meyer, security research advocate at Checkmarx, said the attack appears to be targeting applications developers using Colorama, a widely-used Python package for colorizing terminal output and a similar JavaScript package on NPM. These malicious packages were uploaded to the PyPI repository.
The goal is to use typo-squatting and name-confusion to trick application developers into downloading these packages as part of an effort to compromise software supply chains, said Meyer.
However, the malicious packages have since been removed from the PyPl repository for unknown reasons, so they may have been created to target a specific organization, he added. Checkmarx researchers were also able to track the development of these malicious packages back to a specific account on the GitHub repository.
Regardless of motivation, these malicious packages are the latest example of increasingly sophisticated attacks being launched against software supply chains, noted Meyer. Rather than simply trying to steal data, it’s apparent that cybercriminals are looking to gain more persistent footholds in application development environments.
The approach not only makes it possible to continually steal data as code is developed, but it also creates an opportunity to further distribute malware into downstream applications before they are deployed in production environments.
The challenge is that efforts to secure software supply chains remain a work in progress. A survey from The Futurum Group, for example, finds that only 16% of respondents feel their organization has achieved a tight partnership based on shared goals across their application development and cybersecurity teams.
On the plus side, a similar Checkmarx survey finds that more application security resources are shifting toward the teams that build and deploy software, versus being the sole responsibility of a centralized cybersecurity organization.
As application security increasingly becomes a shared responsibility, more care will be exercised over what software packages are allowed to be downloaded. Even then, DevSecOps teams will still need to continuously scan any third-party code that is being incorporated into downstream applications, especially if it has been downloaded from any type of public repository.
In the meantime, DevSecOps teams should assume that tactics and techniques used to compromise software supply chains are only going to continue to become more lethal. In terms of rich targets, cybercriminals have clearly put application developers and software engineers at the top of their lists. Many of them are counting on the fact that far too many application developers continue to routinely download code from public repositories without appreciating cybersecurity implications.
Short of prohibiting access to these public repositories altogether, the only viable option continues to be a mix of training augmented by tools that will hopefully identify security issues as far left into the software development lifecycle as possible. After all, the one certain thing is that the longer a threat is allowed to persist, the more damage there will be inflicted.