TH16509
Detected presence of package manifests that can access sensitive system files.
| priority | CI/CD status | severity | effort | SAFE level | SAFE assessment |
|---|---|---|---|---|---|
 | fail | high | high | 1 | tampering: fail Reason: dangerous package manifests |
About the issueโ
Many popular programming languages use standardized software packaging formats to distribute reusable code components. Software packages are built from instructions written within package manifests that act as blueprints for package assembly. A package manifest declares the most important software properties, such as the package name, its authors and license, external dependencies, and various actions that may occur during the package lifecycle. Actions defined within the package manifest are executed automatically by the package manager during events such as package installation, compilation, testing, or on package removal. It is unusual for a package manifest to execute commands that can collect sensitive system files. Attackers often abuse package manifests to run commands that collect authentication details such as tokens and credentials, private keys, environment files, and other secrets that could help them gain unauthorized access to the system on which their malicious code was installed.
How to resolve the issueโ
- Investigate reported detections.
- If the software intent does not relate to the reported behavior, investigate your build and release environment for software supply chain compromise.
- You should delay the software release until the investigation is completed, or until the issue is risk accepted.
- Consider rewriting the package manifest without using the marked behaviors.
Incidence statisticsโ
ReversingLabs periodically collects and analyzes the contents of popular software package repositories for threat research purposes. Analysis results are used to calculate incidence statistics for issues (policy violations) that Spectra Assure can detect in software packages.
This section is updated when new data becomes available.
Total amount of packages analyzed
- RubyGems: 183K
- Nuget: 644K
- PyPi: 628K
- NPM: 3.72M
Recommended readingโ
- RATs found hiding in the npm attic (ReversingLabs blog)
- SBOM Facts: Know what's in your software to fend off supply chain attacks (ReversingLabs blog)