Researchers at JFrog have discovered that waiting approximately 14 days before updating open-source software packages can help users avoid the downstream effects of package-hijack attacks. Package hijacking has become a popular method for attackers to spread malware quickly throughout the software supply chain by inserting malicious code into open-source software packages.
The study conducted by JFrog analyzed the compromise of various open-source software packages with millions of downloads. The researchers examined the timespan it took for the attack to be discovered and how many times the infected package was downloaded before the malicious code could be mitigated. The findings revealed that it can take anywhere from a few hours to over a week for project developers or maintainers to identify the malicious code and release an update to fix the issue.
As a result of this research, users are advised to wait approximately two weeks before updating to any new version of an open-source software package. This waiting period allows enough time for the attack to be discovered and the malicious versions of the package to be removed. Shachar Menashe, senior director of security research at JFrog, states that users who follow this 14-day waiting period should be immune to package-hijacking attacks.
Package hijacking occurs when a threat actor or even a project developer or maintainer injects malicious code into an update of an open-source package. Users typically discover this malicious activity either through payload effects or by auditing changes in the package’s code. With the rise in popularity of package repositories like npm and PyPI, attackers have a direct route to infecting thousands of users within a short timeframe.
JFrog’s research also focused on determining the time it takes for users to detect the package hijack and work with project developers to release an update. This timeframe is crucial since it represents when users of the package are vulnerable to the attack. The researchers examined examples of both external and self-package hijacking.
External package hijacking involves a third party injecting malicious code into the package, either by compromising a code maintainer’s account or obfuscating the code as a legitimate contribution. Examples of external package hijacking included the PyTorch Python library, ua-parser-js, and coa software packages. It took users five days to detect the PyTorch hijacking, while the parser and coa hijacks were discovered within hours.
Self-package hijacking occurs when legitimate developers or maintainers inject malicious code into a package as a form of protest. JFrog investigated three examples of self-package hijacking, including the “colors” and “faker” npm packages and the node-ipc package. The researchers found that users detected the sabotage within two days for the npm packages and around eight days for the node-ipc package.
Apart from waiting to update software packages, developers and organizations can mitigate the threat of software supply chain attacks by carefully vetting packages before including them in their software. JFrog recommends using curation tools to define rules for accessing packages or blocking the download of third-party packages released less than 14 days ago. This helps prevent the download of potentially risky packages from public repositories.
To assist developers and organizations in detecting and avoiding the use of malicious code within software packages, JFrog has published a blog post that provides insights on how this code is hidden and offers guidance on detecting it.
In conclusion, waiting approximately 14 days before updating open-source software packages can provide users with protection against package-hijack attacks. The research conducted by JFrog demonstrates the importance of timely detection and mitigation of package hijacks to ensure the security of software supply chains. Developers and organizations should also implement strategies such as careful package vetting and the use of curation tools to further mitigate the risks associated with software supply chain attacks.