Researchers say they’ve found a supply-chain assault flooding repositories with malicious packages that comprise invisible code, a method that’s flummoxing conventional defenses designed to detect such threats.
The researchers, from agency Aikido Safety, mentioned Friday that they discovered 151 malicious packages that had been uploaded to GitHub from March 3 to March 9. Such supply-chain assaults have been widespread for almost a decade. They often work by importing malicious packages with code and names that carefully resemble these of extensively used code libraries, with the target of tricking builders into mistakenly incorporating the previous into their software program. In some instances, these malicious packages are downloaded hundreds of instances.
Defenses see nothing. Decoders see executable code
The packages Aikido discovered this month have adopted a more recent method: selective use of code that isn’t seen when loaded into just about all editors, terminals, and code evaluate interfaces. Whereas many of the code seems in regular, readable type, malicious features and payloads—the same old telltale indicators of malice—are rendered in unicode characters which are invisible to the human eye. The tactic, which Aikido mentioned it first noticed final 12 months, makes handbook code evaluations and different conventional defenses almost ineffective. Different repositories hit in these assaults embody NPM and Open VSX.
