Last Updated on 13/03/2022 by Nidhi Khandelwal
Multiple security flaws have been discovered in major package managers that, if exploited, might allow attackers to run arbitrary code and access sensitive data from vulnerable machines, such as source code and access tokens.
It’s worth mentioning, however, that the issues require the targeted developers to use one of the affected package managers to handle a malicious package.
“This means that an attack from afar cannot be conducted directly against a development computer, and the developer must be duped into loading faulty files,” SonarSource researcher Paul Gerste explained. “However, can you always know and trust the owners of all the packages you download from the internet or from company-owned repositories?”
Package managers are systems or a collection of tools that automate the installation, upgrade, and configuration of third-party dependencies needed to develop applications.
While there are security risks associated with rogue libraries making their way into package repositories, which necessitates that dependencies be thoroughly scrutinized to avoid typosquatting and dependency confusion attacks, the “act of managing dependencies is usually not seen as a potentially risky operation,” according to the report.
One of the most serious flaws is a command injection issue in Composer’s browse command, which might be used to execute arbitrary code by adding a URL to a malicious package that has already been published.
If the package makes use of typosquatting or dependency confusion techniques, it’s possible that invoking the browse command for the library may result in the retrieval of a next-stage payload, which can subsequently be used to launch more attacks.