BSidesSATX 2023

Malware and Malicious Code in the Open Source Software Supply Chain
2023-06-10, 11:00–11:25, Track 1 (UC Conference Rm A)

Bad actors are targeting your developers through open source software. In this talk you will find a variety of specific examples of recent supply chain attacks in software ecosystems such as npm and PyPI. You will also learn about recent trends and techniques in these attacks, and ideally you will learn about how to lower the risk of a compromise in your software development environment. This talk is intended for all audiences, and no prior knowledge of malicious code or malware is assumed.

The open source software ecosystem is a vast, sprawling global metropolis full of opportunities and dangers. Yet, we as software developers often approach it with a small-town mentality. Whereas in some, few places it is perfectly safe to leave your keys in the car running while you make a quick trip into the convenience store, it would be foolish do so in places where a bad actor is waiting to take advantage of your naïvety. Success is not due to sophistication, but rather the ability to take advantage of a fundamental assumption that you had about the relative security of your location.

And so it is with open source software security. Some attacks are successful because of technical prowess - some esoteric technical bug that a sophisticated actor manages to exploit and deploy. But many others, especially some recent widespread ones, are successful simply because they prey on our cultural assumptions and human frailties as software developers. Bad actors deploy relatively unsophisticated packages in our open source software ecosystems hiding under layers of obfuscation that exploit not merely our systems, but our humanity as well.

The barrier to entry for these attackers is pitifully low, and the reward can be astonishingly high, similar to the risk/reward proposition of email spammers from an earlier era. Attackers have proven capabilities that demonstrate automated publication of these malicious packages in open source ecosystems, and before the repository maintainers can take these packages down, they have already been installed by some unsuspecting developer.

In this talk you will learn about these kinds of attacks, their volume, and their velocity through specific examples of recent attacks (e.g., typosquatting, combosquatting, starjacking, dependency confusion, and others) on PyPI and npm. You will also learn about how a defense-in-depth approach can mitigate these risks for developers. Finally, you will ideally leave this talk with a new perspective on the dangers lurking in open source software ecosystems.

Ross Bryant, Ph.D. is the Senior Security Researcher at Phylum and leads the Phylum Research Team. Ross has over two decades of cybersecurity and math research experience. Prior to joining Phylum in late 2021, he worked as a research project lead at Sandia National Labs where he led a team that researched and developed real-time analytic solutions to network forensics problems. He has also worked in cybersecurity operations for the NSA and U.S. Air Force and as an Applied Research Mathematician for the NSA.