CAPEC-693: StarJacking
CAPEC版本: 3.9
更新日期: 2023-01-24
攻击模式描述
执行流程
步骤 1 Explore
[Identify target] The adversary must first identify a target package whose popularity statistics will be leveraged. This will be a popular and widely used package, as to increase the perceived pedigree of the malicious package.
步骤 2 Experiment
[Spoof package popularity] The adversary provides their malicious package to a package manager and uses the source code repository URL identified in Step 1 to spoof the popularity of the package. This malicious package may also closely resemble the legitimate package whose statistics are being utilized.
步骤 3 Exploit
[Exploit victims] The adversary infiltrates development environments with the goal of conducting additional attacks.
- Active: The adversary attempts to trick victims into downloading the malicious package by means such as phishing and social engineering.
- Passive: The adversary waits for victims to download and leverage the malicious package.
前提条件
- Identification of a popular open-source package whose popularity metadata is to be used for the malicious package.
所需技能
后果影响
影响范围: Integrity
技术影响: Modify Data
影响范围: Accountability
技术影响: Hide Activities
影响范围: Access Control Authorization
技术影响: Execute Unauthorized Commands
缓解措施
Before downloading open-source packages, perform precursory metadata checks to determine the author(s), frequency of updates, when the software was last updated, and if the software is widely leveraged.
Look for conflicting or non-unique repository references to determine if multiple packages share the same repository reference.
Reference vulnerability databases to determine if the software contains known vulnerabilities.
Only download open-source packages from reputable package managers.
After downloading open-source packages, ensure integrity values have not changed.
Before executing or incorporating the package, leverage automated testing techniques (e.g., static and dynamic analysis) to determine if the software behaves maliciously.
示例实例
In April 2022, Checkmarx reported that packages hosted on NPM, PyPi, and Yarn do not properly validate that the provided GitHub repository URL actually pertains to the package being provided. Combined with additional attacks such as TypoSquatting, this allows adversaries to spoof popularity metadata by associating popular GitHub repository URLs with the malicious package. This can further lead to developers unintentionally including the malicious package within their development environments [REF-721].