A recent malware case has highlighted a growing security problem for companies: software supply chain flaws. It cropped up in RubyGems, a software package repository for the Ruby programming language.
Package repositories are online libraries of software that handle common functions, ranging from text processors to AI and analytics. Developers upload and share them as a way of contributing to the common good. The repositories are typically open-source ecosystems that make packages freely available for download. Developers can fold them into their own software with a single command that tells their application to include them, saving lots of coding work. It’s a little like assembling code Lego.
Not all developers have the common good in mind, though. Some of them upload software with names that look like popular packages but are misspelled. A developer who isn’t paying attention might download this package instead of the popular one they intended. The fake package then becomes part of the developer’s app and can run its own malicious commands.
That’s what happened with atlas-client, a malicious RubyGems that looks a lot like a popular package called atlas_client. When installed, the fake package detected whether it was running on a Windows machine, and if so infected it with software that would sense whenever something resembling a cryptocurrency address made its way onto the computer’s clipboard. It would then replace that cryptocurrency address with its own in the hope of redirecting any online payments to the attacker’s own address.
The attack didn’t succeed in creating any false transactions, and if it had, it would have affected the software developers themselves rather than anyone using their applications. Nevertheless, it’s one of over 750 malicious packages that security researchers at threat detection company ReversingLabs found in the RubyGems repository.
It also highlights the dangers of relying on third-party packages as a software developer without really understanding what they do. It’s a problem that open-source advocates like the Linux Foundation understand. It published a report in February detailing several other such incidents, including one in July 2019 where an attacker had compromised a legitimate RubyGems user’s account and used it to alter a legitimate package with malicious code.
There’s no easy answer to this for the many developers using open-source packages downloaded from repositories. As with so many cybersecurity challenges, defending yourself against software supply chain attacks comes down to multiple layers of defense.
Taking advantage of checksums that prove you’re downloading the right file is one measure, but if you’re downloading from a legitimate account that has been compromised, that might not help you. Another is to use code analysis tools that identify suspicious code in the package you’re using (ReversingLabs sells one, which is how it keeps finding these malicious packages).
Many coders won’t have the budget for these tools, but at the very least, developers should read the source code for the programs that they’re using to get a sense of how they work and to spot any functions that raise red flags. This helps ensure that they’re not poisoning a developer’s software. It could also prompt coders to give something back by contributing enhancements to the open-source packages they’re using. It’s another way to keep the community healthy.