SHAREDOpen source package entry points could be used for...

Open source package entry points could be used for command jacking

Open source package entry points could be used for command jacking

  • npm (the Node.js package manager)
  • pip (the Python package installer)
  • git (a version control system)
  • kubectl (a Kubernetes command-line tool)
  • terraform (an Infrastructure as Code tool)
  • gcloud (Google Cloud’s command-line interface)
  • heroku (the Heroku command line interface)
  • dotnet (the command line interface for .NET Core)

“Each of these commands is widely used in various development environments, making them attractive targets for attackers looking to maximize the impact of their malicious packages,” says the report.

Another command jacking tactic has been dubbed “command wrapping.” Instead of replacing a command, an attacker creates an entry point that acts as a wrapper around the original command. This stealthy approach allows attackers to maintain long-term access and potentially exfiltrate sensitive information without raising suspicion, says the report. However, it adds, implementing command wrapping requires additional research by the attacker. They need to understand the correct paths for the targeted commands on different operating systems and account for potential errors in their code. This complexity increases with the diversity of systems the attack targets.

A third tactic would be creating malicious plugins for popular tools and frameworks. For example, if an attacker wanted to target Python’s pytest testing framework, they would create a plugin which appears to be a utility to help in testing that uses pytest’s entry point. The plugin could then run malicious code in the background, or allow buggy or vulnerable code to pass quality checks.

Latest news

Dell Technologies aligns with enterprise directions

This week, Dell Technologies held their annual Dell Technologies World conference online. There were a number of announcements as...

How accurate is generative AI and is it enterprise ready?

It seems you can’t escape having a conversation today without the mention of generative AI. But how accurate is...

17 Best Themes for Pets and Animals for WordPress

Creating an online home for your furry, feathered, or finned friends requires the right pet themes. Luckily, WordPress has...

Building a Smart City – Compare the Cloud

If you ask me how I picture the future, I would imagine a city where everything worked together as...

NFV (Network Functions Virtualization) – Cloudwithease

Cloud based networking replaces network hardware appliances with virtual machines. The virtual machines used as hypervisor run networking software...

Must read

Top 10 CIO Trends for 2019

As we get ready to close out 2018 and...

Are the cloud wars over or just getting started?

One of the biggest opportunities for enterprises large and...

You might also likeRELATED
Recommended to you