Skip Navigation

Sonatype Releases New Nexus Firewall Policy to Secure Software Supply Chains from "Dependency Confusion" Attacks

March 04, 2021 By Brent Kostak

5 minute read time

As news continues to cascade on a recent dependency hijacking software supply chain attack, detection of dependency confusion, a.k.a. namespace confusion, copycat packages are on the rise. These counterfeit packages, presenting the same attack method which compromised over 35 major companies’ internal systems including Microsoft, Apple, Tesla, and Netflix, are surfacing in npm and potentially other open source registries (PyPI, RubyGems, NuGet, etc). These targeted companies automatically acquired the malicious and counterfeit packages in their development environments without any engineering mistakes involved in the attack, exploiting a system design flaw in how npm and other open source ecosystems have no authentication of namespace or coordinate checks.

The importance of why namespacing matters in public open source repositories highlights potential threat areas as bad actors take advantage of gaining access to critical infrastructure. Organizations are in need of being able to secure their software supply chains from dependency confusion attacks.

Dependency Confusion Protection with Nexus Firewall and Nexus Repository

New in Nexus IQ Server 106 and Nexus Repository 3.30

We are excited to launch Sonatype’s new Dependency Confusion Policy Protection using Nexus Firewall and Nexus Repository! Nexus users can now automate dependency confusion protection at scale by connecting Nexus IQ Server’s policy management and component intelligence data with proxy repositories in Nexus Repository Manager.

Dependency Confusion Policy Protection features discussed in this section require licenses of Nexus Repository Manager, Nexus Firewall and Nexus IQ Server. For further information and documentation on setting up Dependency Confusion Protection, see Preventing Namespace Confusion.

Development pipelines confusing your own proprietary software components with public components in open source registries, having the same name but a completely different author, is extremely dangerous. Considering malicious code from counterfeit public components can be executed upon installation, it becomes clear the need to block such components as early as possible./p>

Enforcing protection against dependency confusion attacks is as simple as:

Connect Nexus Repository Manager to Nexus IQ Server

Turn on ‘Proprietary Components’ feature in Nexus Repository

✔ Configure Dependency Confusion Policy in Nexus IQ Server

✔ Automate at scale with Nexus Firewall

Nexus Repository users can now flag hosted repositories containing proprietary components (private internal components for your organization) and configure Nexus Repository to send the names of all your proprietary components to Nexus IQ Server. By receiving this list of component names from Nexus Repository, any component requested from a proxy repository that has a name which matches the name of any of your proprietary components will be flagged in Nexus IQ Server via the new Dependency Confusion Policy. Nexus Firewall will then scale this protection by automatically quarantining the flagged components until evaluations with regard to dependency/namespace confusion are completed.

Components that were quarantined due to the Nexus IQ policy can be reviewed in the Repository Results View. In this view, you will also be able to re-evaluate all pre-existing components from the proxy repository to consider the new policy configuration, showing you whether any of those components that were downloaded in the past are violating the new policy, and hence suspicious.

Sonatype’s automated Dependency Confusion Policy Protection delivers secure, intelligent dependency management at scale. We are excited to deliver protection against dependency/namespace confusion attacks to all of our Nexus users. To those who are new, we encourage you to download a free-trial of Nexus Repository Pro and check out Nexus Firewall to keep your software supply chains secure.

Automated Malware Prevention Blocks Malicious Behavior with Nexus Firewall

What if Microsoft, Apple, Tesla, Netflix and the other 35 major companies were able to block the counterfeit packages before the news became public? How would the headlines change if organizations were able to block potentially malicious behavior before a breach would occur? Here at Sonatype, such an advanced concept has become reality as our Nexus Intelligence research engine now automatically detects and blocks counterfeit and malicious behavior with new Release Integrity capability.

In fact, Nexus customers using Nexus Firewall and our Advanced Development Pack with Release Integrity were protected from the recent dependency hijacking attack when Sonatype’s detection system flagged the suspicious packages uploaded by the security researcher back in July 2020. Over the past few months, our automated malware detection system continued to flag the packages in an effort to protect our customers from any rogue behavior. It was then identified, on February 9, 2021, exactly what was happening when the security researcher announced publicly that he had successfully breached critical infrastructure from a dependency/namespace confusion attack.

Sonatype automated malware detection system, Release Integrity, illustrated 

Image: Sonatype automated malware detection system, Release Integrity, illustrated 

To summarize top takeaways on all things next-gen software supply chain attacks and intelligent dependency management:

  • Nexus Firewall and Nexus Repository automate dependency confusion protection at scale: Sonatype’s new Nexus Firewall Policy combined with Nexus Repository can protect against Dependency/Namespace Confusion attacks. Reach out to our teams to secure your software supply chains with Repository Pro and Nexus Firewall.
  • Newly identified malicious dependency confusion copycat packages are on the rise: As of earlier this week, 750+ npm copycat packages have been identified by Sonatype’s automated malware detection system since news on the attack broke in February. The latest malicious packages target Amazon, Zillow and Slack.
  • Nexus Intelligence has become indispensable for dependency management: Approximately 20,000 new versions of components are released each day, making it impossible for most teams to manually manage dependencies. Sonatype’s expanded Nexus Intelligence capabilities and automated malware detection system identify malicious behavior to keep Nexus users safe from the next unknown ‘next-gen’ supply chain attack that has not actually happened yet...

Stay tuned for more exciting upcoming Nexus solution releases to automate intelligent dependency management, keeping your supply chains secure and your organizations out of the next breaking news and latest headlines.

Tags: Nexus Firewall, Nexus Repository, featured, Product, dependency confusion

Written by Brent Kostak

Brent is the Director of Product Marketing connecting developers and DevOps communities to Sonatype Nexus tools and technologies.