It’s been one year since the discovery of the March 28th, 2024, XZ-utils breach and the attack that changed the open source ecosystem forever. Every day, developers around the world power a trillion-dollar global economy by contributing millions of pieces of open source code used by every organization to build and maintain their products. However, this borderless collaboration comes with hidden risks. While openness is a core strength of the open source software development model, the challenge lies in not knowing precisely who is contributing to your software. This lack of transparency can introduce complex security vulnerabilities into your software supply chain. A year removed from Jia Tan’s XZ attack, this is a concern that should be at the forefront of everyone’s mind.
You don’t have a CVE problem. You have a threat problem.
Of paramount importance is understanding the true problem with software supply chain threats targeting your open source dependencies. When contributors are unknown bad actors or anonymous users with suspicious profiles, it’s easy for them to inject harmful code, create backdoors, or introduce subtle vulnerabilities that lie in wait until they can be leveraged at a later time. From carrying out large-scale attacks to simply degrading the performance of your system, these software supply chain threats are extremely commonplace.
In recent years, threat actors have turned theoretical attacks into real-world, high-profile software supply chain incidents. In the case of XZ, attackers have successfully infiltrated software projects undetected and compromised applications and systems further down the line. Without clear attribution, useful breadcrumbs, or intelligence, tracking the source of malicious code can rapidly become a daunting task, hindering incident response and remediation efforts. The XZ attack highlighted this massive gap for even the most experienced security teams, making it nearly impossible to trace, identify, and hunt that threat quickly.
The current narrative of provenance – or transparency into where certain code comes from and who is behind it – as a mitigating factor in software supply chain incidents doesn’t fully address the threats from individual contributors. Traditional methods to get ahead of these attacks have included adopting robust contributor verification processes, such as using cryptographic signing of commits, implementing contributor license agreements, and exploring the internals of a package. However, these methods often lack continuous monitoring of contributor activity, reputation, or history, which leaves a major security gap. Attackers like Jia Tan leverage this gap by targeting positions on open source repositories, which can have a critical impact on numerous downstream users and systems. For example, Hunted Labs has recognized what we call a “drive-by” technique, where attackers “spray and pray” across numerous open source repositories at once, targeting mainly solo maintainers in hopes of gaining total access and control to the repository to launch their attack. Ring a bell?
The Solution: Open Source Optics
This is where a solution like Hunted Labs’ Open Source Optics (OSO) comes into play. OSO, a feature of our product ENTERCEPT™, fills this critical gap by providing intelligence and analysis of contributors to help teams maintain a vigilant security posture over the open source they use every day. It leverages the metadata associated with each piece of code and pulls together a holistic picture of the contributor landscape. For security teams, this kind of tool can be invaluable in identifying and even mitigating potential threats entirely.
OSO illuminates hidden patterns that would otherwise go unnoticed. These include:
-
GitHub Account Age: OSO helps identify and flag “baby” or “ghost” accounts that might stir up trouble in well-known projects. These are accounts that are young in age, exercise anonymity, and exploit trust as their best attack tool. This allows analysts to focus on questionable accounts with suspicious activity patterns and to disregard accounts that are newly created or inactive and supporting the open source linchpins of their organization.
-
Commit and Pull Request History: OSO can also identify malicious activity based on commit and pull request (PR) history. This detailed tracking is crucial for forensic analysis and understanding the attack vector, giving security teams the information they need to respond effectively and hunt the threat accordingly.
-
OpenSSF (Open Source Security Foundation) Score: OSO assesses how top contributors and maintainers implement basic security checks for their projects. This helps define how upstream maintainers are protecting their projects from software supply chain attacks by following recognized best practices. This data provides a quick overview of the security posture of a project and helps analysts prioritize their efforts, allowing them to focus on matters with low scores or poor security practices.
-
Number of Contributions to Each Project: This metric is a key indicator of project robustness. OSO helps analysts understand the level of engagement and activity within a project, which can be a factor in assessing its security and reliability.
Ultimately, OSO helps find suspicious contributors using a variety of tactics, techniques, and procedures that provide the capability to implement compliance profiles that automatically flag packages across your entire software ecosystem. This proactive approach adds a layer of threat intelligence that was missing a year ago and is necessary to identify and address potential vulnerabilities, critical open source linchpins, and ultimately, suspicious contributors that are involved with the various open source projects they depend on before they can be exploited by attackers.