TH16129
Detected presence of software components that can tamper with other installed software.
| priority | CI/CD status | severity | effort | SAFE level | SAFE assessment |
|---|---|---|---|---|---|
 | pass | high | high | None | None |
About the issueโ
Software components are typically distributed in standardized packaging formats. Software packages are built from instructions written within package manifests that act as blueprints for package assembly. A package manifest declares the most important software properties, such as the package name, its authors and license, external dependencies, and various actions that may occur during the package lifecycle. Package managers are specialized tools used by developers to manage software components. Package managers read these manifests to deploy software components along with their dependencies. The premise of the package management system is that software components are isolated from each other, and that they rely on the package manager to provide their dependencies. However, it was detected that a software component includes code capable of accessing or modifying directories that are maintained exclusively by package managers. This is unusual as it resembles tactics used by threat actors that tamper with installed software components and inject malicious code into trusted execution paths.
How to resolve the issueโ
- Investigate reported detections as indicators of software tampering.
- Consult Mitre ATT&CK documentation: T1554 - Compromise Host Software Binary.
- Consider rewriting the flagged code without using the marked behaviors.
Incidence statisticsโ
ReversingLabs periodically collects and analyzes the contents of popular software package repositories for threat research purposes. Analysis results are used to calculate incidence statistics for issues (policy violations) that Spectra Assure can detect in software packages.
This section is updated when new data becomes available.
Total amount of packages analyzed
- Linux: 562K
- NPM: 5.12M
- Nuget: 735K
- PS Gallery: 17K
- PyPi: 838K
- RubyGems: 203K
- VS Code: 113K
- Windows: 3.7K
Recommended readingโ
- Compromise Host Software Binary (External resource)