Command Jacking: New Supply Chain Attack Technique Targets Open Source Package Entry Points

checkmarx.com

Command Jacking: New Supply Chain Attack Technique Targets Open Source Package Entry Points - 1d

A new and concerning attack technique has been identified by Checkmarx researchers, leveraging the entry points of open source application packages. This technique, dubbed “command jacking,” exploits the ability of developers to expose specific functions as command line tools. Attackers can create malicious packages with fake entry points, impersonating widely-used third-party tools or system commands like ‘aws’, ‘docker’, ‘npm’, ‘pip’, ‘git’, ‘kubectl’, ‘terraform’, ‘gcloud’, ‘heroku’, or ‘dotnet’. When unsuspecting developers install these packages and run the hijacked commands, malicious code can be executed, potentially leading to data theft, malware installation, and compromise of entire cloud infrastructures.

References:

Why are we still confused about cloud security - Open source package entry points could be used for command jacking: Report - 1d
checkmarx.com - This New Supply Chain Attack Technique Can Trojanize All Your CLI Commands - 1d
Malware Analysis, News and Indicators - This New Supply Chain Attack Technique Can Trojanize All Your CLI Commands - 1d
SCM feed for Security Strategy, Plan, Budget - Command-jacking used to launch malicious code on open-source platforms - 21h
Malware Analysis, News and Indicators - Command-jacking used to launch malicious code on open-source platforms - 20h
@cybernews - Dependence on open-source repositories has sparked a surge in malicious packages infiltrating software products. - 19h

Classification:

HashTags: #SupplyChainAttack #OpenSourceSecurity #CommandJacking
Target: Developers
Product: Open Source Packages
Feature: Entry Points
Type: Vulnerability
Severity: Major

Flag This

Command Jacking: New Supply Chain Attack Technique Targets Open Source Package Entry Points - 1d