TH30114
Detected presence of software components with uncommon remote dependency hosts.
| priority | CI/CD status | severity | effort | SAFE level | SAFE assessment |
|---|---|---|---|---|---|
 | pass | medium | high | None | None |
About the issueโ
Software developers use programming and design knowledge to build reusable software components. Software components are the basic building blocks for modern applications. Software consumed by an enterprise consists of hundreds, and sometimes even thousands of open source components. Each of these components can have dozens or even hundreds of its own dependencies. When building applications, software developers download and install components from public repositories. For components to work properly, all of their dependencies also need to be installed. Some package repositories, like Node Package Manager (NPM), allow components to declare dependencies that are hosted remotely. Such dependencies are automatically downloaded from a specified location during software component installation. It was detected that a software component declares remote dependencies hosted outside commonly expected locations such as well-known code hosting platforms and official package registry content delivery networks. Threat actors often host malicious dependencies on attacker-controlled infrastructure, ephemeral file sharing services, or compromised legitimate sites to evade security review and retain control over the delivered content. It is uncommon to find open source components that resolve dependencies from such locations.
How to resolve the issueโ
- Review software component remote dependency locations.
- Consult Mitre ATT&CK documentation: T1195.001 - Supply Chain Compromise: Compromise Software Dependencies and Development Tools.
- If the software component resolves dependencies from unusual locations, investigate the build and release environment for software supply chain compromise.
- Consider vendoring the software component with all of its dependencies.
- Avoid using this software package until it is vetted as safe.
Incidence statisticsโ
ReversingLabs periodically collects and analyzes the contents of popular software package repositories for threat research purposes. Analysis results are used to calculate incidence statistics for issues (policy violations) that Spectra Assure can detect in software packages.
This section is updated when new data becomes available.
Total amount of packages analyzed
- Linux: 562K
- NPM: 5.12M
- Nuget: 735K
- PS Gallery: 17K
- PyPi: 838K
- RubyGems: 203K
- VS Code: 113K
- Windows: 3.7K
Recommended readingโ
- Supply Chain Compromise: Compromise Software Dependencies and Development Tools (External resource)