As news continues to cascade on a recent dependency hijacking software supply chain attack, detection of dependency confusion, a.k.a. namespace confusion, copycat packages are on the rise. These counterfeit packages, presenting the same attack method which compromised over 35 major companies' internal systems, including Microsoft, Apple, Tesla, and Netflix, are surfacing in npm and potentially other open source registries (PyPI, RubyGems, NuGet). These targeted companies automatically acquired malicious and counterfeit packages in their development environments without any engineering mistakes involved in the attack. They exploited a system design flaw in how npm and other open source ecosystems have no authentication of namespace or coordinate checks.
The importance of why namespacing matters in public open source repositories highlights potential threat areas, as bad actors gain access to critical infrastructure. Organizations need to secure their software supply chains from dependency confusion attacks.
Dependency Confusion Protection with Sonatype Repository Firewall and Sonatype Nexus Repository
New in Sonatype IQ Server 106 and Sonatype Nexus Repository 3.30
We are excited to launch Sonatype's new Dependency Confusion Policy Protection using Sonatype Repository Firewall and Sonatype Nexus Repository! Sonatype users can now automate dependency confusion protection at scale by connecting Sonatype IQ Server's policy management and component intelligence data with proxy repositories in Sonatype Nexus Repository.
Dependency Confusion Policy Protection features discussed in this section require licenses of Sonatype Nexus Repository, Sonatype Repository Firewall and Sonatype IQ Server. For further information and documentation on setting up Dependency Confusion Protection, see Preventing Namespace Confusion.
Development pipelines confusing your own proprietary software components with public components in open source registries, having the same name but a completely different author, is extremely dangerous. Considering malicious code from counterfeit public components can be executed upon installation, it becomes clear that such components must be blocked as early as possible.
Enforcing protection against dependency confusion attacks is as simple as:
-
Connect Sonatype Nexus Repository to Sonatype IQ Server
-
Turn on "Proprietary Components" feature in Sonatype Nexus Repository
-
Configure Dependency Confusion Policy in Sonatype IQ Server
-
Automate at scale with Sonatype Repository Firewall
Sonatype Nexus Repository users can now flag hosted repositories containing proprietary components (private internal components for your organization) and configure Sonatype Nexus Repository to send the names of all your proprietary components to Sonatype IQ Server. By receiving this list of component names from Sonatype Nexus Repository, any component requested from a proxy repository with a name that matches the name of any of your proprietary components will be flagged in Sonatype IQ Server via the new Dependency Confusion Policy. Sonatype Repository Firewall will then scale this protection by automatically quarantining the flagged components until evaluations regarding dependency namespace confusion are completed.
Components quarantined due to the Sonatype IQ policy can be reviewed in the Repository Results View. In this view, you can also re-evaluate all pre-existing components from the proxy repository to consider the new policy configuration, showing you whether any of those components downloaded in the past violate the new policy, and hence suspicious.
Sonatype's automated Dependency Confusion Policy Protection delivers secure, intelligent dependency management at scale. We are excited to deliver protection against dependency/namespace confusion attacks to all of our Nexus users.
Automated Malware Prevention Blocks Malicious Behavior with Sonatype Repository Firewall
What if Microsoft, Apple, Tesla, Netflix and the other 35 major companies could block counterfeit packages before the news became public? How would the headlines change if organizations could block potentially malicious behavior before a breach would occur? Here at Sonatype, such an advanced concept has become reality, as our Sonatype Intelligence research engine now automatically detects and blocks counterfeit and malicious behavior with new Release Integrity capability.
In fact, Sonatype customers using Sonatype Repository Firewall and our Advanced Development Pack with Release Integrity were protected from the recent dependency hijacking attack when Sonatype's detection system flagged the suspicious packages uploaded by the security researcher back in July 2020.
Over the past few months, our automated malware detection system continued to flag the packages to protect our customers from any rogue behavior. It was then identified, on February 9, 2021, exactly what was happening when the security researcher publicly announced he had successfully breached critical infrastructure from a dependency/namespace confusion attack.
Image: Sonatype automated malware detection system, Release Integrity, illustrated
To summarize top takeaways on all things next-gen software supply chain attacks and intelligent dependency management:
-
Sonatype Repository Firewall and Sonatype Nexus Repository automate dependency confusion protection at scale: The new Sonatype Repository Firewall Policy combined with Sonatype Nexus Repository can protect against dependency/namespace confusion attacks. Reach out to our teams to secure your software supply chains with Sonatype Nexus Repository and Sonatype Repository Firewall.
-
Newly identified malicious dependency confusion copycat packages are on the rise: Sonatype's automated malware detection system identified 750+ npm copycat packages earlier this week, since news on the attack broke in February 2021. The latest malicious packages target Amazon, Zillow and Slack.
-
Sonatype Intelligence has become indispensable for dependency management: Approximately 20,000 new versions of components are released each day, making it impossible for most teams to manually manage dependencies. Sonatype's expanded Sonatype Intelligence capabilities and automated malware detection system identify malicious behavior to keep Sonatype users safe from the next unknown 'next-gen' supply chain attack that has not actually happened yet...
Stay tuned for more exciting Sonatype solution releases to automate intelligent dependency management, keeping your supply chains secure and your organizations out of the next breaking news and latest headlines.
Discover a Better Way to SCA
Forrester evaluated 10 SCA providers and recognized Sonatype with the highest possible scores. Learn why Sonatype was named a leader in Forrester Wave™ for SCA.
