TH30103
Detected presence of software components that were removed from the public package repository.
| priority | CI/CD status | severity | effort | SAFE level | SAFE assessment |
|---|---|---|---|---|---|
 | pass | high | high | None | tampering: warning Reason: components prone to hijacking |
About the issueโ
Software developers use programming and design knowledge to build reusable software components. Software components are the basic building blocks for modern applications. Software consumed by an enterprise consists of hundreds, and sometimes even thousands of open source components. Software developers publish components they have authored to public repositories. Open source projects are the intellectual property of their respective authors. At any time, the authors may choose to completely remove the software component from a public repository. This often occurs when a software project reaches its end-of-life stage, or when the software authors lose interest in maintaining the project. This kind of removal frees up the software package name, its unique software identifier in the public repository, for other developers to use. However, new software project owners might have malicious intent. Threat actors are continuously monitoring popular package names in case their unique identifiers suddenly become available for hijacking. Once the software projects falls under new ownership, the new maintainers may opt to use the project popularity to spread malware to unsuspecting users.
How to resolve the issueโ
- Inspect behaviors exhibited by the detected software components.
- If the software behaviors differ from expected, investigate the build and release environment for software supply chain compromise.
- Revise the use of components that raise these alarms. If you can't deprecate those components, make sure that their versions are pinned.
- Avoid using this software package until it is vetted as safe.
Incidence statisticsโ
ReversingLabs periodically collects and analyzes the contents of popular software package repositories for threat research purposes. Analysis results are used to calculate incidence statistics for issues (policy violations) that Spectra Assure can detect in software packages.
This section is updated when new data becomes available.
Total amount of packages analyzed
- RubyGems: 183K
- Nuget: 644K
- PyPi: 628K
- NPM: 3.72M