Cybersecurity researchers at SonarSource have unearthed multiple security bugs in popular package managers including Pip, Yarn, Composer, and others. The vulnerabilities can be exploited to run arbitrary code and access sensitive details, including source code and access tokens, from vulnerable devices.
However, it is worth noting that the security bugs require threat actors to use one of the vulnerable package managers to handle a malicious package.
"This means that an attack cannot be launched directly against a developer machine from remote and requires that the developer is tricked into loading malformed files," Paul Gerste, a researcher at SonarSource explained. "But can you always know and trust the owners of all packages that you use from the internet or company-internal repositories?"
Package managers are systems or a collection of tools that automate the installation, upgrade, and deal with the configuration of third-party dependencies required for designing applications.
Multiple security bugs in various package managers indicate that they could be exploited by malicious actors to trick victims into running malicious code. The vulnerabilities have been discovered in the following package managers –
• Composer 1.x < 1.10.23 and 2.x < 2.1.9
• Bundler < 2.2.33
• Bower < 1.8.13
• Poetry < 1.1.9
• Yarn < 1.22.13
• pnpm < 6.15.1
• Pip (no fix), and
• Pipenv (no fix)
The most severe flaw is a command injection bug in Composer's browse command that could be exploited to execute arbitrary code by adding a URL to a malicious package that has already been published.
If threat actors employ typosquatting or dependency confusion methodologies, it is possible that invoking the browse command for the library may lead to the retrieval of a next-stage payload, which can subsequently be used to launch further cyber assaults, researchers explained.
Following responsible disclosure of vulnerabilities in September last year, patches for the security bugs were fixed in Composer, Bundler, Bower, Poetry, Yarn, and Pnpm were released. However, Composer, Pip, and Pipenv, which are all impacted by the untrusted search path bug, have chosen not to patch the vulnerability.
"Developers are an attractive target for cybercriminals because they have access to the core intellectual property assets of a company: source code," Gerste concluded. "Compromising them allows attackers to conduct espionage or to embed malicious code into a company's products. This could even be used to pull off supply chain attacks."