Professional Documents
Culture Documents
Supply Chain Attacks Open Source
Supply Chain Attacks Open Source
5. Some packages had too many contributors, which made it hard for maintainers
to keep tabs on all changes. An attacker can use social engineering to become
regarded as a trusted contributor to such packages before sneaking in malicious
code.
Next steps
“If we think about different supply chain attacks, we will often see attackers using
new techniques that we have not witnessed yet to propose a solution,” Zahan
said.
“Our study aims to motivate practitioners to adopt best security practices instead
of waiting for an attack to happen.”
The researchers corroborated their findings through a survey of hundreds of
NPM package maintainers. Most participants agreed with the severity of the first
three indicators and were interested in being notified about potential problems in
these areas.
Read more of the latest infosec research news
It might be possible for the maintainers of the NPM repository to compute and
display a risk model based on scoring the indicators of potential problem they
identify, the researchers suggest.
Such a model would enable package managers to evaluate the security of their
packages and address areas of potential weakness. It will also enable package
users to make more educated, data-driven decisions and comparisons before
incorporating new packages into their development pipelines.
“Please think about package security before selecting any package,” Zahan
concluded. “Do not use a package just because other people are using the same
package. Our proposed weak link signals along with the OpenSSF Metrics,
Scorecard, and Best Practices Badge projects can be a good start to measure
package risk in the supply chain.”