Recent security vulnerabilities in popular software package managers are raising concerns among digital safety experts. When these flaws compromise machines, it may be possible for hackers to get their hands on sensitive information, including source code and access tokens. On an optimistic note, this cyber sabotage cannot happen unless the developer also downloads separate malware files.
The use of package managers has become routine for most IT professionals. These tools or systems are utilized to automate processes such as installing, upgrading, and configuring third-party software that is employed in the development of applications. Flaws have been identified in the following package managers:
- Composer 1.x 1.10.23 and 2.x 2.1.9
- Bundler 2.2.33
- Bower 1.8.13
- Poetry 1.1.9
- Yarn 1.22.13
- pnpm 6.15.1
When this security breach victimizes a user, a flaw in Composer’s browse command inserts a URL into a malicious package that has already been published, resulting in arbitrary code execution. It could even pave the way for the launching of further attacks in the future.
Disclosure of the bug occurred on September 9, 2021. Shortly thereafter, fixes were released to mitigate vulnerabilities in Composer, Bundler, Bower, Poetry, Yarn, and Pnpm. However, the developers of PIP and Pipenv have chosen not to address the issue. This is risky, considering that the stakes are so high. Exploiting weaknesses in code such as those exemplified by this attack can leave companies vulnerable to espionage or devastated by the consequences of embedded malware.
“Developers are an attractive target for cybercriminals because they have access to the core intellectual property assets of a company: source code,” SonarSource Researcher Paul Gerste said, “compromising them allows attackers to conduct espionage or embed malicious code into a company’s products. That could even be used to pull off supply chain attacks.” In light of our current economic and manufacturing woes, this could be the most potentially devastating result.