Community Blog

Open Source Readiness - Weekly Update - 26 September 2023

Written by Rob Moffat | 9/26/23 3:04 PM

This year at FINOS we are focusing on one of FINOS' key existing projects: Open Source Readiness. This is FINOS' term for helping the finance industry "do open source properly".

This week, let’s talk about Supply Chain Security. The table below is from our upcoming article, “Open Source Supply Chain Security” which is in PR at the moment and needs feedback.

 

Here is a table from the article of some common supply chain attacks and vulnerabilities. How many have you heard of?

Examples of Common Supply Chain Attacks

 

Attack Name Description Example

Dependency/Manifest Confusion

An attacker publishes a package with the same name as a private package used by a specific company but in a public repository. If the company's build system is not properly configured, it may pull the malicious public package instead of the intended private one.

Alex Birsan

Package Stealing/Hijacking

Attackers can sometimes take over abandoned or poorly maintained packages and introduce malicious changes. They then publish the updated malicious version, and dependent systems automatically pull in these updates.

us-parser-js.

Malicious Forks/Masquerading

An attacker might create a fork of a popular open-source project, introduce malicious changes, and then attempt to promote or advertise this fork to unsuspecting users.

Stephen Lacy

RepoJacking

An attack where a malicious actor registers a username and creates a repository used by an organization in the past but which has since changed its name. Doing so results in any project or code that relies on the dependencies of the attacked project to fetch dependencies and code from the attacker-controlled repository, which could contain malware.

CTX

Piggybacking on Legitimate Packages/Pull Request Sneaking

Some attackers contribute malicious code to popular and legitimate projects, usually through pull requests. If not thoroughly reviewed, the malicious code might get merged into the main project.

Teleport

Download Count Inflation/Star Jacking

To make a malicious package look popular and trustworthy, attackers artificially inflate the download count.

Pampyio

Trojan Package

In the trojan package infection method, the attacker publishes a fully functional library but hides malicious code in it.

lemaaa

Joke Packages

Not strictly an attack, but publishing packages as jokes. Can harm the supply chain and cause dependency bloat.

true

Cache Poisoning

Exploiting weaknesses in parameter handling by package managers.

Rack

TypoSquatting

Typosquatting is the practice of obtaining (or squatting) a famous name with a slight typographical error.

"Amzon.com"

 

Note: this table is just a list of notable examples. See The MITRE ATT&CK for a complete, authoritative list.

How many did you know?

OSFF Reminder: 5 Weeks to Go!

If you’re working for a FINOS member and you live in New York, why haven’t you signed up to come to OSFF yet?

There are complimentary passes for employees of FINOS Member Firms so hurry up and register already!

The OSR and InnerSource SIGs are collaborating on running a booth at the event - would you like to help staff it? Get in touch if so!  

If you haven't received your unique member code, please contact osff@finos.org and we’ll get you sorted.

Sign up here!

 

Author: Rob Moffat

 

Interested in this FINOS open source project, or any of our other projects? Click the link below to see how to get involved in the FINOS Community.