This presentation takes you through recent attacks aimed at software developers and software companies. First it starts with attacks on libraries you install or have installed (typosquatting, pushing malicious library updates due to maintainer's credential takeover, protestware), even your private ones (dependency confusion). Second it shows attack on tools which are used in software development (package managers). Third, there are examples of attacks onto developer's infrastructure (PHP programming language git sever, GitHub OAuth incident with Heroku and Travis-CI).

1. Mateusz Olejarka
Developer in a digital
crosshair, 2022
edition

4. BIO
• Principal Security Consultant @ SecuRing
• Head of Web Security
• Co-author of Security Aware Developer
training
• Ex-developer

5. AGENDA
•Attacks on libraries
•Attacks on tools
•Attacks on infrastructure

6. Attacks on
libraries
https://flickr.com/photos/29233640@N07/

7. COMPLEXITY https://sambleckley.com/writing/npm.html

9. FUN FACT
https://www.npmjs.com/package/-

10. FUN FACT
https://cdn.jsdelivr.net/npm/-@0.0.1/

11. FUN FACT
https://web.archive.org/web/20201118151234/https://www.npmjs.com/package/-

12. - STORY
"I mean no harm to anyone in any way“
Parzhitsky told BleepingComputer, stressing the
package was fully compliant with npm's naming
rules at the time of its creation and created as a
test.
https://www.bleepingcomputer.com/news/software/empty-npm-package-
has-over-700-000-downloads-heres-why/

13. - STORY
Parzhitsky agrees [...] that the unusually high
number of downloads can most likely be
attributed to developers making typos.

14. ATTACKS ON LIBRARIES
• Typosquatting
• Dependency confusion
• Maintainer’s account takeover
• Phishing
• Expired domain
• Protestware

15. TYPOSQUATTING
https://www.npmjs.com/package/electorn

16. TYPOSQUATTING

17. https://www.linkedin.com/in/andre-eleuterio/
https://www.npmjs.com/~andreeleuterio

18. https://www.iqt.org/bewear-python-typosquatting-is-about-more-than-typos/

19. DEPENDENCY CONFUSION

20. DEPENDENCY CONFUSION
What happens if malicious code is uploaded to
npm under these names?
Is it possible that some of PayPal’s internal
projects will start defaulting to the new public
packages instead of the private ones?
https://medium.com/@alex.birsan/dependency-confusion-4a5d60fec610

21. UAParser.js

22. UAParser.js

23. https://my.diffend.io/npm/ua-parser-js/0.7.28/0.7.29

29. coa

30. coa

31. coa

33. EXPIRED DOMAIN

34. EXPIRED DOMAIN

35. EXPIRED DOMAIN

36. colors AND faker
https://my.diffend.io/npm/colors/1.4.0/1.4.44-liberty-2

37. colors AND faker
https://www.bleepingcomputer.com/news/security/dev-corrupts-npm-libs-colors-and-faker-
breaking-thousands-of-apps/

38. PROTESTWARE
https://www.npmjs.com/package/node-ipc

39. PROTESTWARE
https://my.diffend.io/npm/node-ipc/10.1.0/10.1.1

40. PROTESTWARE
https://api.ipgeolocation.io/ipgeo?apiKey=[cut]
./
../
../../
/
country_name
russia
belarus

41. PROTEST
WARE
❤
❤

42. PROTESTWARE
https://snyk.io/blog/peacenotwar-malicious-npm-node-ipc-package-vulnerability/

43. ATTACKS ON LIBRARIES
• Typosquatting
• Dependency confusion
• Maintainer’s account takeover
• Phishing
• Expired domain
• Protestware

44. Attacks on
tools
https://flickr.com/photos/danielmee/

45. ATTACKS ON TOOLS
• Codecov
• Homebrew
• npm
• Ruby Gems

46. On Thursday, April 1, 2021, we learned that
someone had gained unauthorized access to
our Bash Uploader script and modified it
without our permission.

47. A customer reported this to us on the morning
of April 1, 2021.
This customer was using the shasum that is
available on our Bash Uploader to confirm the
integrity of the uploader fetched from
https://codecov.io/bash.

49. https://gist.github.com/davidrans/ca6e9ffa5865983d9f6aa00b7a4a1d10

50. The actor gained access because of an error in
Codecov’s Docker image creation process
that allowed the actor to extract the
credential required to modify our Bash
Uploader script.

52. Our use of Codecov’s Bash Uploader script
was limited: it was set up on a single CI
server used to test and build some internal
tooling […].
We were not using Codecov on any CI
server used for product code.
https://www.rapid7.com/blog/post/2021/05/13/rapid7s-response-to-codecov-incident/

53. HCSEC-2021-12 - Codecov Security Event and
HashiCorp GPG Key Exposure
“While investigation has not revealed evidence
of unauthorized usage of the exposed GPG key,
it has been rotated in order to maintain a
trusted signing mechanism.”
https://discuss.hashicorp.com/t/hcsec-2021-12-codecov-
security-event-and-hashicorp-gpg-key-exposure/23512

54. https://news.ycombinator.com/item?id=26819983

55. HOMEBREW
18.04.2021
In the Homebrew/homebrew-cask
repository, it was possible to merge the
malicious pull request by confusing the
library that is used in the automated pull
request review script developed by the
Homebrew project.
https://blog.ryotak.me/post/homebrew-security-incident-en/

56. HOMEBREW
This is due to a flaw in the git_diff
dependency of the review-cask-pr GitHub
Action, which is used to parse a pull
request’s diff for inspection.
Due to this flaw, the parser can be
spoofed into completely ignoring the
offending lines, resulting in successfully
approving a malicious pull request.

57. HOMEBREW
By abusing it, an attacker could execute
arbitrary Ruby codes on users' machine
who uses brew.
The discovered vulnerability would allow an
attacker to inject arbitrary code into a cask
and have it be merged automatically.

58. Second, on November 2 we received a report to
our security bug bounty program of a
vulnerability that would allow an attacker to
publish new versions of any npm package
using an account without proper
authorization.
https://github.blog/2021-11-15-githubs-commitment-to-npm-ecosystem-security/

59. We determined that this vulnerability was due to
inconsistent authorization checks and
validation of data across several
microservices that handle requests to the npm
registry.

60. This vulnerability existed in the npm registry
beyond the timeframe for which we have
telemetry to determine whether it has ever been
exploited maliciously.
However, we can say with high confidence that this
vulnerability has not been exploited maliciously
during the timeframe for which we have
available telemetry, which goes back to
September 2020.

61. RUBY GEMS
https://github.com/rubygems/rubygems.org/security/advisories/GHSA-2jmx-8mh8-pm8w
An ordering mistake in the code that accepts
gem uploads allowed some gems […] to be
temporarily replaced in the CDN cache by a
malicious package.

62. RUBY GEMS
1. An attacker could guess the next version
number, and create a gem with the name
sorbet-static-0.5.9996-universal-darwin and
version number 20.
2. With a crafted invalid gemspec, it was
possible to coerce RubyGems.org to save that
gem to S3 without creating a matching database
record.

63. RUBY GEMS
3. Later, the real sorbet-static gem would
release version 0.5.9996 as usual, and the
attacker-controlled file would be overwritten on
S3.
4. However, if the attacker had already primed
the Fastly CDN cache by requesting their
malicious gem, Fastly would continue to serve
the old, malicious package.

64. Attacks on tools
• Codecov
• Homebrew
• npm
• Ruby Gems

65. Attacks on
infrastructure
https://flickr.com/photos/quinnanya/

66. ATTACKS ON INFRASTRUCTURE
• PHP
• Github, Heroku and Travis-CI

67. Yesterday (2021-03-28) two malicious
commits were pushed to the php-src repo [1]
from the names of Rasmus Lerdorf and myself.
We don't yet know how exactly this happened,
but everything points towards a compromise of
the git.php.net server (rather than a
compromise of an individual git account).
https://news-web.php.net/php.internals/113838

70. While investigation is still underway, we have
decided that maintaining our
own git infrastructure is an unnecessary security
risk, and that we will
discontinue the git.php.net server.
Instead, the repositories on GitHub,
which were previously only mirrors, will
become canonical.

71. Something I was not aware of at the time is that
git.php.net (intentionally) supported pushing
changes not only via SSH […] but also via HTTPS.
The latter did not use gitolite, and instead used git-
http-backend behind Apache2 Digest authentication
against the master.php.net user database.
Based on access logs, we can determine that the
commits were indeed pushed using HTTPS and
password-based authentication.
https://news-web.php.net/php.internals/113981

73. It is notable that the attacker only makes a
few guesses at usernames, and successfully
authenticates once the correct username has
been found.
While we don't have any specific evidence for
this, a possible explanation is that the user
database of master.php.net has been leaked

74. The master.php.net system, which is used for
authentication and various management tasks,
was running very old code on a very old
operating system
/
PHP version, so some kind of vulnerability
would not be terribly surprising.

75. On April 12, GitHub Security began an
investigation that uncovered evidence that an
attacker abused stolen OAuth user tokens
issued to two third-party OAuth integrators,
Heroku and Travis-CI, to download data from
dozens of organizations, including npm.
https://github.blog/2022-04-15-security-alert-stolen-oauth-user-tokens/

76. Our analysis of other behavior by the threat
actor suggests that the actors may be mining
the downloaded private repository
contents, to which the stolen OAuth token had
access, for secrets that could be used to
pivot into other infrastructure.

77. GitHub contacted Heroku and Travis-CI to
request that they initiate their own security
investigations, revoke all OAuth user tokens
associated with the affected applications, and
begin work to notify their own users.

78. We do not believe the attacker obtained
these tokens via a compromise of GitHub or
its systems, because the tokens in question
are not stored by GitHub in their original, usable
formats.

79. On April 7, 2022, a threat actor obtained access
to a Heroku database and downloaded stored
customer GitHub integration OAuth tokens.
Access to the environment was gained by
leveraging a compromised token for a Heroku
machine account.
https://status.heroku.com/incidents/2413

80. On that same day, the threat actor
downloaded data from another database that
stores pipeline-level config vars for Review
Apps and Heroku CI.
Additionally, another small subset of Heroku
users had their Heroku tokens exposed in a
config var for a pipeline.

81. On April 15, 2022, Travis CI personnel were
informed that certain private customer
repositories may have been accessed by an
individual who used a man-in-the-middle 2FA
attack, leveraging a third-party integration
token.
https://blog.travis-ci.com/2022-04-17-securitybulletin

82. Upon further review that same day, Travis CI
personnel learned that the hacker breached a
Heroku service and accessed a private
application OAuth key used to integrate the
Heroku and Travis CI application.

83. Travis CI immediately revoked all
authorization keys and tokens preventing
any further access to our systems. No
customer data was exposed and no further
access was possible.

84. https://flickr.com/photos/143106192@N03/

85. LIBRARIES

86. LIBRARIES
• Awareness

87. LIBRARIES
• Awareness
• No typos ;)

88. LIBRARIES
• Awareness
• No typos ;)
• Use tools to detect malicious dependencies

89. LIBRARIES
• Awareness
• No typos ;)
• Use tools to detect malicious dependencies
• Download from official sources

90. LIBRARIES
• Awareness
• No typos ;)
• Use tools to detect malicious dependencies
• Download from official sources
• When not sure do not install

91. LIBRARIES
• Awareness
• No typos ;)
• Use tools to detect malicious dependencies
• Download from official sources
• When not sure do not install
• Enable 2FA (as a maintainer)

92. LIBRARIES
• Awareness
• No typos ;)
• Use tools to detect malicious dependencies
• Download from official sources
• When not sure do not install
• Enable 2FA (as a maintainer)

93. TOOLS

94. TOOLS
• I will not download and run scripts directly from the net

95. TOOLS
• I will not download and run scripts directly from the net
• I will verify checksums and signatures of downloaded
files

96. TOOLS
• I will not download and run scripts directly from the net
• I will verify checksums and signatures of downloaded
files
• I will install only from official sources

97. TOOLS
• I will not download and run scripts directly from the net
• I will verify checksums and signatures of downloaded
files
• I will install only from official sources
• I will update frequently what I already installed

98. TOOLS
• I will not download and run scripts directly from the net
• I will verify checksums and signatures of downloaded
files
• I will install only from official sources
• I will update frequently what I already installed

99. INFRASTRUCTURE

100. INFRASTRUCTURE
• Keep good inventory, especially of what is in the clouds

101. INFRASTRUCTURE
• Keep good inventory, especially of what is in the clouds
• Disable/shutdown what’s unused

102. INFRASTRUCTURE
• Keep good inventory, especially of what is in the clouds
• Disable/shutdown what’s unused
• Secure configurations

103. INFRASTRUCTURE
• Keep good inventory, especially of what is in the clouds
• Disable/shutdown what’s unused
• Secure configurations
• Frequently update (to fix known issues)

104. INFRASTRUCTURE
• Keep good inventory, especially of what is in the clouds
• Disable/shutdown what’s unused
• Secure configurations
• Frequently update (to fix known issues)
• Monitor, monitor, monitor

105. INFRASTRUCTURE
• Keep good inventory, especially of what is in the clouds
• Disable/shutdown what’s unused
• Secure configurations
• Frequently update (to fix known issues)
• Monitor, monitor, monitor

106. ?
https://www.linkedin.com/in/molejarka/