Sonatype releases new Sonatype Repository Firewall policy to secure software supply chains from "dependency confusion" attacks

March 04, 2021 By Brent Kostak

5 minute read time

As news continues to cascade on a recent dependency hijacking software supply chain attack, detection of dependency confusion, a.k.a. namespace confusion, copycat packages are on the rise. These counterfeit packages, presenting the same attack method which compromised over 35 major companies' internal systems including Microsoft, Apple, Tesla, and Netflix, are surfacing in npm and potentially other open source registries (PyPI, RubyGems, NuGet, etc). These targeted companies automatically acquired the malicious and counterfeit packages in their development environments without any engineering mistakes involved in the attack, exploiting a system design flaw in how npm and other open source ecosystems have no authentication of namespace or coordinate checks.

The importance of why namespacing matters in public open source repositories highlights potential threat areas as bad actors take advantage of gaining access to critical infrastructure. Organizations are in need of being able to secure their software supply chains from dependency confusion attacks.

Dependency confusion protection with Sonatype Repository Firewall and Sonatype Nexus Repository

New in Nexus IQ Server 106 and Nexus Repository 3.30

We are excited to launch Sonatype's new Dependency Confusion Policy Protection using Sonatype Repository Firewall and Sonatype Nexus Repository! Sonatype users can now automate dependency confusion protection at scale by connecting Sonatype IQ Server's policy management and component intelligence data with proxy repositories in Sonatype Nexus Repository.

Dependency Confusion Policy Protection features discussed in this section require licenses of Sonatype Nexus Repository, Sonatype Repository Firewall and Sonatype IQ Server. For further information and documentation on setting up Dependency Confusion Protection, see Preventing Namespace Confusion.

Development pipelines confusing your own proprietary software components with public components in open source registries, having the same name but a completely different author, is extremely dangerous. Considering malicious code from counterfeit public components can be executed upon installation, it becomes clear the need to block such components as early as possible.

Enforcing protection against dependency confusion attacks is as simple as:

Connect Nexus Repository Manager to Sonatype IQ Server

Turn on "Proprietary Components" feature in Sonatype Nexus Repository

✔ Configure Dependency Confusion Policy in Sonatype IQ Server

✔ Automate at scale with Sonatype Repository Firewall

Sonatype Nexus Repository users can now flag hosted repositories containing proprietary components (private internal components for your organization) and configure Sonatype Nexus Repository to send the names of all your proprietary components to Sonatype IQ Server. By receiving this list of component names from Sonatype Nexus Repository, any component requested from a proxy repository that has a name which matches the name of any of your proprietary components will be flagged in Sonatype IQ Server via the new Dependency Confusion Policy. Sonatype Repository Firewall will then scale this protection by automatically quarantining the flagged components until evaluations with regard to dependency namespace confusion are completed.

Components that were quarantined due to the Sonatype IQ policy can be reviewed in the Repository Results View. In this view, you will also be able to re-evaluate all pre-existing components from the proxy repository to consider the new policy configuration, showing you whether any of those components that were downloaded in the past are violating the new policy, and hence suspicious.

Sonatype's automated Dependency Confusion Policy Protection delivers secure, intelligent dependency management at scale. We are excited to deliver protection against dependency/namespace confusion attacks to all of our Nexus users. To those who are new, we encourage you to download a free-trial of Sonatype Nexus Repository Pro and check out Sonatype Repository Firewall to keep your software supply chains secure.

Automated malware prevention blocks malicious behavior with Sonatype Repository Firewall

What if Microsoft, Apple, Tesla, Netflix and the other 35 major companies were able to block the counterfeit packages before the news became public? How would the headlines change if organizations were able to block potentially malicious behavior before a breach would occur? Here at Sonatype, such an advanced concept has become reality as our Sonatype Intelligence research engine now automatically detects and blocks counterfeit and malicious behavior with new Release Integrity capability.

In fact, Sonatype customers using Sonatype Repository Firewall and our Advanced Development Pack with Release Integrity were protected from the recent dependency hijacking attack when Sonatype's detection system flagged the suspicious packages uploaded by the security researcher back in July 2020.

Over the past few months, our automated malware detection system continued to flag the packages in an effort to protect our customers from any rogue behavior. It was then identified, on February 9, 2021, exactly what was happening when the security researcher announced publicly that he had successfully breached critical infrastructure from a dependency/namespace confusion attack.

Sonatype automated malware detection system, Release Integrity, illustrated 

Image: Sonatype automated malware detection system, Release Integrity, illustrated 

To summarize top takeaways on all things next-gen software supply chain attacks and intelligent dependency management:

  • Sonatype Repository Firewall and Sonatype Nexus Repository automate dependency confusion protection at scale: The new Sonatype Repository Firewall Policy combined with Sonatype Nexus Repository can protect against dependency/namespace confusion attacks. Reach out to our teams to secure your software supply chains with Repository Pro and Sonatype Repository Firewall.
  • Newly identified malicious dependency confusion copycat packages are on the rise: As of earlier this week, 750+ npm copycat packages have been identified by Sonatype's automated malware detection system since news on the attack broke in February 2021. The latest malicious packages target Amazon, Zillow and Slack.
  • Sonatype Intelligence has become indispensable for dependency management: Approximately 20,000 new versions of components are released each day, making it impossible for most teams to manually manage dependencies. Sonatype's expanded Sonatype Intelligence capabilities and automated malware detection system identify malicious behavior to keep Sonatype users safe from the next unknown 'next-gen' supply chain attack that has not actually happened yet...

Stay tuned for more exciting upcoming Sonatype solution releases to automate intelligent dependency management, keeping your supply chains secure and your organizations out of the next breaking news and latest headlines.

Tags: featured, Product, dependency confusion, Sonatype Repository Firewall, Sonatype Nexus Repository

Written by Brent Kostak

Brent is the Director of Product Marketing connecting developers and DevOps communities to Sonatype Nexus tools and technologies.