A new and concerning attack technique has been identified by Checkmarx researchers, leveraging the entry points of open source application packages. This technique, dubbed “command jacking,” exploits the ability of developers to expose specific functions as command line tools. Attackers can create malicious packages with fake entry points, impersonating widely-used third-party tools or system commands like ‘aws’, ‘docker’, ‘npm’, ‘pip’, ‘git’, ‘kubectl’, ‘terraform’, ‘gcloud’, ‘heroku’, or ‘dotnet’. When unsuspecting developers install these packages and run the hijacked commands, malicious code can be executed, potentially leading to data theft, malware installation, and compromise of entire cloud infrastructures.
The reliance on open-source repositories has unfortunately led to a significant rise in malicious software packages infiltrating software products. These malicious packages are deliberately designed to compromise systems and steal data. They can be hidden within legitimate-looking packages, making it difficult for developers and users to detect them. This threat highlights the need for stringent security measures and thorough vetting of all open-source packages.