Malware targeting developers is a major concern that the industry is struggling to catch up with. We know open source software supply chain attacks are a problem with an estimated 700% increase in 2022. Gartner suggests that in the next two years “60% of organizations will use cybersecurity risk as a primary determinant in conducting third-party transactions and business engagements (source).”
Vulnerabilities vs. malware
Although vulnerabilities remain a major concern in software development, we’ll look in this article at software created by a bad actor that is directly harmful to the user. After all, vulnerable software can often still be used effectively in the right circumstances, such as a sandbox, an air-gapped environment, or with additional configuration steps. Malware is almost always damaging.
The situation is similar to a standard virus you could get from launching a file sent to you from an untrusted sender. The malware can immediately harm your environment.
At the minimum, companies affected by malware are looking at theft of resources and power for things like crypto mining. The worst outcomes include theft of company data, credentials, or customer data by means of encrypting it and asking for ransom.
Current solutions
Customers take advisories about what malware or vulnerabilities have been taken down from npm or GitHub advisories. They take that data and try to inform their security policies. The process is often very manual, and lists are prone to errors. It's also a game of cat-and-mouse to chase these newer packages constantly being repackaged with dangerous contents.
Unfortunately, by the time you have that list generated and updated, that package might have already been pulled into your repository. Even if it has been taken down from npm. And now it actively lives inside your environment to cause further damage to you or your development efforts.
You need to do more to protect yourself from malware
Current steps are not scalable and frequently not automated. Even if you’ve taken additional steps to employ tools that automatically identify and block known malware, that may still not be enough. Because malware is constantly trying to disguise itself, it will come in below the surface like a torpedo underwater.
How do you block unknown malware?
Identify camouflaged threats
One of the ways you can address this is by looking closely at a package and seeing characteristics common to malware. So for every new release, you can immediately ask questions such as:
- Is this being released by the same source that always releases it? Or is this someone trying to replicate a popular package?
- Is that package trying to be released at a different cadence than its usual release cycle?
- Is there a significant drop or increase in the number of files in that package?
Each of these concerns is not a problem in isolation. For example, a reliable project could release outside of its normal rhythm. But as you start to compile answers to these questions, you can start to make a judgment that the file is probably safe or probably malicious.
Building project profiles to avoid malware
This kind of analysis is similar to how payment services look for fraud. By looking at customers' buying patterns, they can build a persona or behavioral profile. They monitor this and look for changes that break from your standard actions.
Some examples of out-of-profile actions could include swiping your credit card in a remote part of a country you’ve never visited. Or buying something expensive for home improvement when you are not a homeowner.
Similarly, malware analysis needs to build a behavioral profile for each of the millions of packages that come out every month. And a long history of analysis means better decisions about whether to trust software from an external source.
All of those things can give you insights that merely looking at malware advisories will miss. And just like when credit card companies automatically block a suspicious transaction, you need to stop potential malware before it enters your environment.
Organizations can avoid the costly audit and cleanup efforts to resolve malware in a development environment by intelligently avoiding malware in the first place.
Automated malware prevention
Many organizations we’ve spoken with have had difficulty scaling this effort to the massive amount of software components available. The amount of data needed to analyze and collect for the npm ecosystem alone is tremendous, as well as the storage and computation requirements.
Improve your software supply chain security by automatically detecting known and unknown malware from entering development cycles. Sonatype Repository Firewall's’s Suspicious Package Blocking is the most intelligent and secure way to prevent a host of issues. These include standard vulnerabilities, malware, next-gen supply-chain attacks, brandjacking, typosquatting, and dependency confusion-type attacks.
When a concern is discovered, Sonatype Repository Firewall will automatically provide an earlier version. If the update is deemed safe after analysis, the update is automatically released back into your pipeline.
Sonatype Repository Firewall combines over 60 different signals used to identify potentially malicious activity and block risks before download. These signals feed into a first-of-its-kind Artificial Intelligence / Machine Learning (AI/ML)-powered automated malware detection and protection system.
Since 2019, we’ve discovered 106,872 packages flagged as malicious, suspicious, or proof-of-concept.
