As news continues to cascade on a recent dependency hijacking software supply chain attack, detection of dependency confusion, a.k.a. namespace confusion, copycat packages are on the rise. These counterfeit packages, presenting the same attack method which compromised over 35 major companies’ internal systems including Microsoft, Apple, Tesla, and Netflix, are surfacing in npm and potentially other open source registries (PyPI, RubyGems, NuGet, etc). These targeted companies automatically acquired the malicious and counterfeit packages in their development environments without any engineering mistakes involved in the attack, exploiting a system design flaw in how npm and other open source ecosystems have no authentication of namespace or coordinate checks.
The importance of why namespacing matters in public open source repositories highlights potential threat areas as bad actors take advantage of gaining access to critical infrastructure. Organizations are in need of being able to secure their software supply chains from dependency confusion attacks.
Dependency Confusion Protection with Nexus Firewall and Nexus RepositoryNew in Nexus IQ Server 106 and Nexus Repository 3.30
We are excited to launch Sonatype’s new Dependency Confusion Policy Protection using Nexus Firewall and Nexus Repository! Nexus users can now automate dependency confusion protection at scale by connecting Nexus IQ Server’s policy management and component intelligence data with proxy repositories in Nexus Repository Manager.
Dependency Confusion Policy Protection features discussed in this section require licenses of Nexus Repository Manager, Nexus Firewall and Nexus IQ Server. For further information and documentation on setting up Dependency Confusion Protection, see Preventing Namespace Confusion.
Development pipelines confusing your own proprietary software components with public components in open source registries, having the same name but a completely different author, is extremely dangerous. Considering malicious code from counterfeit public components can be executed upon installation, it becomes clear the need to block such components as (Read more…)