That was the reality for a lot of companies after the ua-parser-js supply chain attack. On October 22 three malicious versions of the popular package ua-parser-js were released. A package which has almost 8M weekly downloads. If your company has used compromised versions of this package directly or indirectly, consider your system as fully compromised.
The maintainer account for ua-parser-js was taken over, meaning attackers had control and deployed malware versions. These versions in turn were downloaded by many users around the world. Silently the malicious versions installed a trojan and a crypto mining application.
The impact is critical with the file system made public, screenshots taken as well as downloading and execution of unknown binaries.
A lot of companies are still vigorously trying to figure out if they were exposed. Often by spending resources and money on manually making sure no one inside their organization used the affected malicious versions.
I fully understand the need for companies to be sure they’re not affected - but this problem also indicates that companies lack proper control over external dependencies. An investment into proper protection is something that would save money in the long run.
Malicious and packages with vulnerabilities. You need to protect you team, environments and organization without depending on specific individuals when it comes to dependency security. Here's a free downloadable checklist (PDF) .
It’s crucial to secure your whole software supply chain, including software build environments (CI/CD), test, development and similar.
The problem lies in that a lot of environments are not restricted in what packages can be downloaded and installed. And with as little as 10% of all maintainers using two-factor authentication, the companies need to take dependency security as a serious threat and act accordingly.
Quite a few people have contacted us asking how this could have been prevented and how to stay secure.
1. You need automated tooling where you are able to secure your existing workflows. This way developers and systems are secured by default. Unfortunately, many companies fail in this regard which is a major gamble. It works until it no longer does.
2. Companies need to enforce dependency policies and make sure they have the right tools to be able to control what packages are allowed in the organization. Make sure neither automated systems nor developers install the latest versions of packages without first taking a conscious decision. Avoiding outdated and vulnerable components is of course not an option either!
3. Companies need tooling to keep track of what components are used and where. Manually reviewing every piece of software or line of code is neither efficient nor possible in many cases when an incident occurs. Be proactive and secure your supply chain before it’s an emergency.
We are in the final sprint of the Cybersecurity Awareness Month - so why not spread some awareness 😊. Here's a one page cheat sheet on what measures you can take to protect your organization, link to blog post with a free downloadable PDF.