Over the past few months, attackers have increasingly targeted the software supply chain by populating package managers and code marketplaces with malicious code.
Most recently, RubyGems maintainers removed two malicious gems from the repository of Ruby code packages and libraries. The gems pretty_color and ruby-bitcoin contained code which replaced cryptocurrency wallet addresses present in the clipboard of the infected Windows machine with a wallet address belonging to the attacker. The victim is unlikely to notice that the wallet address copied is different from the one being pasted, allowing the attacker to intercept transactions and steal cryptocurrency funds.
Security firm Sonatype, which scans open source components, found that pretty_color was an “identical replica” of a known package colorize, except it also contained a file version.rb with obfuscated code to run the malicious script. A scrupulous developer checking the gem’s contents would have seen the code to set text color, background color, and text effects, but could have missed the implications of the obfuscated code.
"The package should be removed, but as full control of the computer may have been given to an outside entity, there is no guarantee that removing the package will remove all malicious software resulting from installing it," the npm team wrote in an advisory at the time. "All secrets and keys stored on that computer should be rotated immediately from a different computer.”
Both packages were downloaded more than 100 times before their malicious behavior was detected by Sonatype, which scans package repositories on a regular basis. That sounds like a small number, but these types of attacks don’t need a large number of downloads to be effective. These attacks involve tricking developers into downloading packages, and not injecting malicious code into legitimate components. It is relatively easy to keep tossing malicious libraries onto repositories and collecting victims a few at a time.
Attackers are utilizing different types of tricks to trick developers into using malicious software components into their applications, including typosquatting. Typosquatting refers to taking advantage of typing mistakes by using names that are similar to other packages. Typically, if someone makes a mistake typing the name of a component, then that person should get an error message because it doesn’t exist. Attackers are creating components using common variations, which means there are no error messages, and the person doesn’t know about the mistake.
Attackers seeded RubyGems with more than 760 malicious gems using names just a bit different than the standard code libraries, researchers at ReversingLabs said back in April. The atlas-client gem, which was trying to do the same thing as pretty_color to swap out cryptomining wallet addresses in the clipboard, was a misspelling of the atlas_client gem, which is used to access an API. The malicious gem was downloaded over 2,000 times.
Polluted repositories cause significant damage to software security because the malicious components can have a cascading effect. Even if the developer doesn’t include those specific packages in the application, if those packages are included in some other package that the application is using, then that application becomes compromised. Dependency scanning tools, like what GitHub offers, help developers discover these problematic nested components.
Software repositories, package managers, and vulnerability databases are all necessary components of the software supply chain, as are the developers and end users who leverage them,” the Linux Foundation said in February. “Unless and until the weaknesses inherent within their current designs and procedures are addressed, however, they will continue to expose the companies and developers who rely upon them to significant risk.