We deliver trusted Advisory Automation Audit | that drives results.

Resources
  • All Resources

    Your central hub for security and compliance content.

  • Blog

    Stay informed with expert insights and practical advice on cybersecurity, privacy, and compliance challenges.

  • News

    Get the latest company updates, industry developments, and regulatory changes impacting the cybersecurity landscape.

  • Whitepapers

    Access in-depth research and strategic guidance on risk management, regulatory compliance, and cybersecurity best practices.

  • Case Studies

    See how organizations like yours solved complex cybersecurity and compliance challenges with TrustNet’s solutions.

Knowledge Hub
Guides
  • All Guides

    Get practical step-by-step guides designed to help you navigate audits, improve security posture, and meet compliance requirements.

Edit Template
Login

Secure login to iTrust Platform

Multiple Security Flaws Discovered in Popular Software Package Managers

Expert Security Insights

Stay informed with expert-driven security content

malware

Recent security vulnerabilities in popular software package managers are raising concerns among digital safety experts. When these flaws compromise machines, it may be possible for hackers to get their hands on sensitive information, including source code and access tokens. On an optimistic note, this cyber sabotage cannot happen unless the developer also downloads separate malware files.

The use of package managers has become routine for most IT professionals. These tools or systems are utilized to automate processes such as installing, upgrading, and configuring third-party software that is employed in the development of applications. Flaws have been identified in the following package managers:

  • Composer 1.x 1.10.23 and 2.x 2.1.9
  • Bundler 2.2.33
  • Bower 1.8.13
  • Poetry 1.1.9
  • Yarn 1.22.13
  • pnpm 6.15.1
  • Pip
  • Pipenv

When this security breach victimizes a user, a flaw in Composer’s browse command inserts a URL into a malicious package that has already been published, resulting in arbitrary code execution. It could even pave the way for the launching of further attacks in the future.

Disclosure of the bug occurred on September 9, 2021. Shortly thereafter, fixes were released to mitigate vulnerabilities in Composer, Bundler, Bower, Poetry, Yarn, and Pnpm. However, the developers of PIP and Pipenv have chosen not to address the issue. This is risky, considering that the stakes are so high. Exploiting weaknesses in code such as those exemplified by this attack can leave companies vulnerable to espionage or devastated by the consequences of embedded malware. 

“Developers are an attractive target for cybercriminals because they have access to the core intellectual property assets of a company: source code,” SonarSource Researcher Paul Gerste said, “compromising them allows attackers to conduct espionage or embed malicious code into a company’s products. That could even be used to pull off supply chain attacks.” In light of our current economic and manufacturing woes, this could be the most potentially devastating result.

Request Your Cybersecurity and Compliance Quote