Compromise Software Dependencies and Development Tools

Malicious npm packages (e.g. compromised versions of common dependencies) are published and pulled into developer and CI environments, providing the attacker an initial foothold via the software supply chain.

Metadata

Severity: critical
Slug: compromise-software-dependencies-and-development-tools

MITRE

T1555.006: Credentials from Password Stores: Cloud Secrets Management Stores
T1078.004: Valid Accounts: Cloud Accounts
T1059.007: Command and Scripting Interpreter: JavaScript
T1567.001: Exfiltration Over Web Service: Exfiltration to Code Repository
T1195.001: Supply Chain Compromise: Compromise Software Dependencies and Development Tools
T1552.001: Unsecured Credentials: Credentials In Files

Available Labs

Open Javascript labs in SecDim Play for this vulnerability.

medium

Shai Hulud.ir

JavaScript Medium Incident Response Github New Signature

Play AppSec WarGames

Want to skill-up in secure coding and AppSec? Try SecDim Wargames to learn how to find, hack and fix security vulnerabilities inspired by real-world incidents.

For Companies Play Now

Got a comment?

Join our secure coding and AppSec community. A discussion board to share and discuss all aspects of secure programming, AppSec, DevSecOps, fuzzing, cloudsec, AIsec code review, and more.