SHAREDOpen source package entry points could be used for...

Open source package entry points could be used for command jacking

Open source package entry points could be used for command jacking

  • npm (the Node.js package manager)
  • pip (the Python package installer)
  • git (a version control system)
  • kubectl (a Kubernetes command-line tool)
  • terraform (an Infrastructure as Code tool)
  • gcloud (Google Cloud’s command-line interface)
  • heroku (the Heroku command line interface)
  • dotnet (the command line interface for .NET Core)

“Each of these commands is widely used in various development environments, making them attractive targets for attackers looking to maximize the impact of their malicious packages,” says the report.

Another command jacking tactic has been dubbed “command wrapping.” Instead of replacing a command, an attacker creates an entry point that acts as a wrapper around the original command. This stealthy approach allows attackers to maintain long-term access and potentially exfiltrate sensitive information without raising suspicion, says the report. However, it adds, implementing command wrapping requires additional research by the attacker. They need to understand the correct paths for the targeted commands on different operating systems and account for potential errors in their code. This complexity increases with the diversity of systems the attack targets.

A third tactic would be creating malicious plugins for popular tools and frameworks. For example, if an attacker wanted to target Python’s pytest testing framework, they would create a plugin which appears to be a utility to help in testing that uses pytest’s entry point. The plugin could then run malicious code in the background, or allow buggy or vulnerable code to pass quality checks.

Latest news

AWS re:Invent 2023 – Day 2 Recap – Blog

Amazon Q  AWS announces Amazon Q, a new generative AI–powered assistant that is specifically designed for work and can be...

14 Best Dark WordPress Themes (Free and Premium)

Dark WordPress themes have that modern and stylish look that can bring a unique touch to your website.There are...

Caring about Cloud Carbon Commitments: A Look at VMware’s Zero Carbon Committed Initiative

Ian Moyse, Industry Cloud Thought Leader & Sponsored Influencer of VMware’s Zero Carbon Committed Initiative Having worked in IT leadership...

Monthly Cloud News Roundup: January 2023

/*! elementor - v3.18.0 - 08-12-2023 */ .elementor-heading-title{padding:0;margin:0;line-height:1}.elementor-widget-heading .elementor-heading-title>a{color:inherit;font-size:inherit;line-height:inherit}.elementor-widget-heading .elementor-heading-title.elementor-size-small{font-size:15px}.elementor-widget-heading .elementor-heading-title.elementor-size-medium{font-size:19px}.elementor-widget-heading .elementor-heading-title.elementor-size-large{font-size:29px}.elementor-widget-heading .elementor-heading-title.elementor-size-xl{font-size:39px}.elementor-widget-heading .elementor-heading-title.elementor-size-xxl{font-size:59px}Monthly Cloud News Roundup: January 2023 /*! elementor...

Making generative AI work for you

The key, he says, is to figure out how to get value from genAI assistants despite their failings, by...

Must read

Top 10 CIO Trends for 2019

As we get ready to close out 2018 and...

Are the cloud wars over or just getting started?

One of the biggest opportunities for enterprises large and...

You might also likeRELATED
Recommended to you