Several Security Flaws Identified in Major Software Package Managers
Multiple security flaws have been discovered in major package managers that, if exploited, might allow attackers to run arbitrary code and access sensitive data from vulnerable machines, such as source code and access tokens. It’s worth mentioning, however, that the problems involve the targeted developers using one of the compromised package managers to handle a malicious package.
“This means that an attack from remote cannot be conducted directly against a developer computer, and the developer must be tricked into loading faulty files,” SonarSource researcher Paul Gerste explained. “However, can you always know and trust the owners of all the packages you download from the internet or from company-owned repositories?”
Package managers are systems or a collection of tools that automate the installation, upgrade, and configuration of third-party dependencies needed to develop applications. While there are security risks associated with malicious libraries working their way into package repositories, which necessitates that dependencies are thoroughly monitored to avoid typosquatting and dependency confusion attacks, the “act of managing dependencies is usually not seen as a potentially risky operation,” according to the report.
