Checkmarx, a provider of application security testing tools, today reported that malicious actors have been able to compromise the free automated dependency management tool for software projects, known as Dependabot, that GitHub provides.
It’s not clear how prevalent the compromise is, but the attack involves the tokens that GitHub provides to allow access to Dependabot. Once cybercriminals gain access to a repository, they then add additional emails to the account that, once authorized, are used to inject malicious code into a repository that exfiltrates defined secrets to an external server. Cybercriminals can then modify any existing JavaScript files using a password-stealer to steal the credentials of any end user submitting their password in a web form.
Guy Nachshon, a security researcher for Checkmarx, said Checkmarx was only able to discover the threat because one of the cyberattackers made a mistake. DevOps teams are advised to confirm the identity of each user that has access to both public and private GitHub repositories to ensure their software supply chain has not been compromised, he added.
In general, attacks against software supply chains are becoming more sophisticated, noted Nachshon. Beyond launching phishing attacks to steal the credentials of individual members of an application development team, it appears cybercriminals are employing tactics and techniques that enable them to steal the credentials of an entire team contributing to a repository.
These attacks, of course, have become a matter of national security. Governments around the world are crafting legislation that will hold organizations more accountable for the security of the applications they build and deploy. It may be a while before those proposals become law, but it’s clear the pressure on organizations to secure their software supply chains is building. More organizations than ever are, as a result, embracing DevSecOps best practices to better protect their software supply chains.
The challenge is that many of the components used within those supply chains are from open source projects that organizations don’t have the ability to patch should a vulnerability be discovered. More troubling still, even when a patch is available, many organizations are reluctant to upgrade for fear of breaking an application. In effect, they are betting cybercriminals are not going to discover a potential exploit that exists in their application portfolio or that the damage inflicted will be less than what might otherwise be experienced should an application break following the update of a critical component.
Playing the equivalent of Russian Roulette with application security is, to put it mildly, inadvisable. DevSecOps teams need to not only address vulnerabilities in applications as they are being built but also address the massive amount of technical debt relating to known vulnerabilities that have been allowed to accrue for more years than most anyone cares to admit.
Unfortunately, cybercriminals are now clearly aware of the soft underbelly that exists within application environments, so the race to address an issue that has been allowed to fester is now on. And the odds, alas, are already stacked in favor of the malicious actors that are ready and willing to wreak havoc.