Trojan horses in your codebase
A common pattern is that malware mainly spreads through phishing, when in fact open source dependencies represent a vast distribution network with access to millions of potential victims. Developers working against deadlines to ship features may accidentally introduce critical security risks by incorporating dependencies that aren’t what they seem.
Malicious dependencies contain harmful code disguised as legitimate software components in public repositories. They serve as vectors for supply chain attacks such as credential stealing, cryptomining, malware, spyware, and more. Identifying packages like these as early as possible will help prevent a more widespread incident where an attacker has been lingering in your environment undetected for a long period of time.
These threats emerge through methods such as:
New packages designed to appear trustworthy, but that are actually malicious
Legitimate packages compromised by attackers, like the XZ Utils supply chain attack
One typo away from a vulnerable dependency
Take a developer needing to use TensorFlow, a popular Python package used for machine learning. In a rush, it would be an honest mistake to type pip install tenorflow and install tenorflow (note the typo!) instead of the correct command pip install tensorflow. Instead of receiving the legitimate package for machine learning, the developer's environment now includes malicious software. In the case of tenorflow, the setup script installs a malicious browser extension that replaces any cryptocurrency address copied into the clipboard with an address owned by the attacker.
Our approach to malicious dependency detection
For Supply Chain vulnerabilities based on patterns and code usage, Semgrep’s dataflow reachability analysis determines the exact place in your code that introduces a vulnerability. For example, you may be using a function from a vulnerable dependency in a way that introduces a critical vulnerability to your code. Review our previous post on reachability analysis for more on this. Semgrep’s approach to malicious dependencies is slightly different. With malicious dependencies, there’s no need to identify the exact location in your code where the dependency is called – just using the malicious package means the malicious finding applies to you.
The Semgrep Security Research Team continuously monitors external sources for malicious package reports and generates rules that protect your environment against the latest threats, so that when a compromised dependency is installed, it’s quickly flagged by Semgrep.
What it looks like for you
Semgrep Supply Chain users can see findings from malicious dependencies in the Dependencies tab, and the rules for those malicious dependencies in the Advisories tab. AppSec teams can filter specifically for malicious dependency findings or for security advisories related to malicious dependencies.
In the case of tenorflow, the malicious dependency finding looks like this:
Incident playbook for malicious dependencies
To make effective use of Semgrep's malicious dependency detection, we recommend treating malicious dependency findings differently from findings generated by dataflow reachability analysis. A recommended incident response workflow should:
Quickly notify your Security Incident Response on-call when a malicious dependency is detected
Initiate an investigation to understand how you may be impacted
Look for indicators of compromise or other key indicators of a security breach in available logs
Treat these findings as critical and contain and mitigate them immediately
With Semgrep you have the option to automatically block PRs that introduce malicious dependencies. Once you've identified where the malicious dependency is used, notify the appropriate engineering team. Developers may need to:
Upgrade to a non-malicious version
Remove the package and replace it with another package of similar functionality
Teams should follow a typical incident response process for these findings instead of letting them linger in their environments. Having a strong relationship and mutual understanding with your engineering teams on how to prioritize these findings will be critical when triaging and addressing malicious dependency findings.
Protect yourself now from malicious dependencies
The public beta for malicious dependency detection is now available! It’s included as part of Semgrep Supply Chain. To try our malicious dependency detection feature and add another pillar to your supply chain security coverage, contact us!
