Skip to content

Entry points in open-source ecosystems can be exploited: Research

  • by
  • 2 min read

Entry points across open-source ecosystems such as Python, NPM, Ruby Gems, Rust Crates, NuGet, and Dart Pub could allow software supply chain attacks, which follow attackers’ exploitation through command-jacking and rogue plugins.

Program entry points refer to a packaging mechanism that developers use to expose a specific functionality, such as a command-line wrapper. Attackers can exploit these entry points to run malicious commands when a particular command is executed.

The exploit, found by Checkmarx researchers Yehuda Gelb and Elad Rapaport, poses a risk in open-source ecosystems because entry-point attacks are persistent and sly methods of compromising systems. The points’ feature is to improve modularity. However, the same feature could be abused to spread malicious code.

Command-jacking happens when fake packages use entry points while pretending to be third-party tools and commands. The package gathers sensitive information when users install it. The technique’s success relies on the PATH order.

“If the directory containing the malicious entry points appears earlier in the PATH than the system directories, the malicious command will be executed instead of the system command. This is more likely to occur in development environments where local package directories are prioritized,” the researchers said.

Command-jacking can be made more effective by using command wrapping, which involves creating an entry point that acts as a wrapper on the original command without replacing it. Doing so would avoid detection by running the malicious code while executing the original command. The researchers said, “Since the legitimate command still runs and its output and behaviour are preserved, there’s no immediate sign of compromise, making the attack extremely difficult to detect through normal use.”

Another technique for abusing entry points is developing malicious plugins and extensions for developers, which enables wide access to the codebase and allows attackers to change program behaviour in the testing stage.

Sonatype, in its annual State of the Software Supply Chain report, stated that more than 512,847 malicious packages were found across open-source ecosystems for JavaScript, Java, Python, and .NET since November 2023. The company said that traditional tools often are unable to detect novel methods being exploited in the wild, which makes developers and automated build environments highly vulnerable.

In the News: Madras HC considers probe into Star Health data breach

Arun Maity

Arun Maity

Arun Maity is a journalist from Kolkata who graduated from the Asian College of Journalism. He has an avid interest in music, videogames and anime. When he's not working, you can find him practicing and recording his drum covers, watching anime or playing games. You can contact him here: arunmaity23@proton.me

Related Reads

This is an image of dprk north korea flag

US sanctions North Korean hacker for running fraud IT worker scheme

This is an image of ransomware 32988sd

M&S confirms April cyberattack was ransomware

This is an image of macbook pro featured 123

Novel North Korean macOS malware found targeting Web3, crypto platforms

This is an image of dark web hacker security

Chinese hacker linked to Silk Typhoon arrested in Italy

Illustration: jmiks | shutterstock

New ransomware gang found terrorising Windows and Linux PCs

Top 25 call of duty (cod) wallpapers every gamers should check out

COD WWII hacked; PC version taken offline

>