SC Media reports that supply chain intrusions are being deployed through the initial compromise of entry points across several open-source environments, including PyPI, Ruby Gems, npm, NuGet, Rust Crates, and Dart Pub, using the command-jacking attack technique.
Threat actors have leveraged malicious plugins and extensions to inject malicious code without being detected by security systems, according to a Checkmarx report.
Critical Start Cyber Threat Research Senior Manager Callie Guenther noted these packages could allow the takeover of malicious commands.
"Once executed, these malicious commands can harvest sensitive information, such as API keys, credentials, or cloud configurations, potentially opening the door to espionage or unauthorized access to critical infrastructure," added Guenther.
Meanwhile, exploitation of the "path order" prevalent in command-jacking operations should prompt organizations' development teams to conduct audits, strengthen dependency management, ensure the validation of trusted and signed packages alone, and enforce the principle of least privileges for commands and processes to prevent potential compromise, said Sectigo senior fellow Jason Soroko.
