SHAREDOpen source package entry points could be used for...

Open source package entry points could be used for command jacking

Open source package entry points could be used for command jacking

  • npm (the Node.js package manager)
  • pip (the Python package installer)
  • git (a version control system)
  • kubectl (a Kubernetes command-line tool)
  • terraform (an Infrastructure as Code tool)
  • gcloud (Google Cloud’s command-line interface)
  • heroku (the Heroku command line interface)
  • dotnet (the command line interface for .NET Core)

“Each of these commands is widely used in various development environments, making them attractive targets for attackers looking to maximize the impact of their malicious packages,” says the report.

Another command jacking tactic has been dubbed “command wrapping.” Instead of replacing a command, an attacker creates an entry point that acts as a wrapper around the original command. This stealthy approach allows attackers to maintain long-term access and potentially exfiltrate sensitive information without raising suspicion, says the report. However, it adds, implementing command wrapping requires additional research by the attacker. They need to understand the correct paths for the targeted commands on different operating systems and account for potential errors in their code. This complexity increases with the diversity of systems the attack targets.

A third tactic would be creating malicious plugins for popular tools and frameworks. For example, if an attacker wanted to target Python’s pytest testing framework, they would create a plugin which appears to be a utility to help in testing that uses pytest’s entry point. The plugin could then run malicious code in the background, or allow buggy or vulnerable code to pass quality checks.

Latest news

Web Server Hardware Comparison and Review

What is a server? Let’s start with a basic definition of a web server: “A server is a computer...

Free-threaded programming in Python 3.13

This (half-) month in Python and elsewhere: Python 3.13’s “no-GIL” or “free-threaded” version is out, and you can try...

Generative AI’s top issues facing CIOs

Credit: iStock by Getty Images I asked OpenAIs ChatGPT “What are the top issues facing CIOs? The results were, frankly, very interesting. They...

Building AI-Powered Apps with IBM Watson on IBM Cloud

Artificial intelligence is a transformative technology and way ahead from traditional computer programs. Generative AI can augment human intelligence...

Top Announcements of AWS re:Invent 2023 – Blog

Amazon Q  AWS announces Amazon Q, a new generative AI–powered assistant that is specifically designed for work and can be tailored...

Making generative AI work for you

The key, he says, is to figure out how to get value from genAI assistants despite their failings, by...

Must read

Top 10 CIO Trends for 2019

As we get ready to close out 2018 and...

Are the cloud wars over or just getting started?

One of the biggest opportunities for enterprises large and...

You might also likeRELATED
Recommended to you