A security researcher has uncovered a security vulnerability that allowed him to run code on internal systems belonging to major companies, including Apple Inc., Microsoft Corp., Netflix Inc., PayPal Holdings Inc., Tesla Inc. and others by exploiting open-source repositories.

The supply chain attack was detailed late Tuesday by researcher and ethical hacker Alex Birsan and involved uploading malware to open-source repositories including PyPI, npm and RubyGems that subsequently then got distributed downstream.

According to Bleeping Computer, the supply chain attack needed no action by the victims as they automatically received the malicious code due to a design flaw in open-source ecosystems called “dependency confusion.” The technique, also known as a “substitution attack” by Microsoft Corp., allows threat actors to sneak malicious code inside private code repositories by simply registering internal library names on public, open-source package indexes.

Starting with a malicious node package uploaded to the npm registry, Birsan then went further into other repositories to see how far he could take the exploit.

“To strike a balance between the ability to identify an organization based on the data and the need to avoid collecting too much sensitive information, I settled on only logging the username, hostname and current path of each unique installation,” Birsan explained. “Along with the external IPs, this was just enough data to help security teams identify possibly vulnerable systems based on my reports.”

Microsoft has also published a white paper on the subject that goes through the risks involved with this type of attack. “One common hybrid configuration that clients use is storing internal packages on a private feed but allowing the retrieval of dependencies from a public feed,” the Microsoft white paper notes. “This ensures that the latest package releases are automatically adopted when referenced from a package that does not need to be updated. Internal developers publish their packages to this private feed and consumers check both private and public feeds for the best available versions of the required packages. This configuration presents a supply chain risk: the substitution attack.”

Craig Young, principal security researcher at cybersecurity and compliance solutions firm Tripwire Inc., told SiliconANGLE that this is a very serious industrywide problem.

“Organizations face a constant stream of choices between reinventing every wheel, entering costly license agreements or utilizing open-source software,” Young explained. “Embracing open source has allowed many business to flourish while keeping down the cost of initial development at the expense of extremely murky supply chains. Software development firms should ideally be tuned in to every change happening within externally sourced software but in reality, this is next to impossible for software projects of even moderate complexity.”

The problem he added, is that dependency chains can quickly spiral out of control, and often there are good reasons for wanting quick updates such as security or general bug fixes.

“Identifying, interpreting and analyzing potentially thousands of lines of code could largely offset the cost savings of open source for some organizations,” he said. “When software development firms allow their employees to download and start working with arbitrary coding modules from public repositories, they are exposing themselves both security and legal risk. In this case, it was a researcher with an innocuous ‘phone home’ payload, but it could have just as easily been an APT deploying a malware implant or a patent troll deploying a commercially licensed algorithm.”

Image: Alex Birsan