TH30115
Detected presence of software components with blacklisted remote dependency hosts.
| priority | CI/CD status | severity | effort | SAFE level | SAFE assessment |
|---|---|---|---|---|---|
 | fail | high | high | 1 | tampering: fail Reason: restricted network references |
About the issueโ
Software developers use programming and design knowledge to build reusable software components. Software components are the basic building blocks for modern applications. Software consumed by an enterprise consists of hundreds, and sometimes even thousands of open source components. Each of these components can have dozens or even hundreds of its own dependencies. When building applications, software developers download and install components from public repositories. For components to work properly, all of their dependencies also need to be installed. Some package repositories, like Node Package Manager (NPM), allow components to declare dependencies that are hosted remotely. Such dependencies are automatically downloaded from a specified location during software component installation. It was detected that a software component declares remote dependencies hosted on addresses found on a proprietary ReversingLabs network reference blacklist. Threat actors often host malicious dependencies on infrastructure previously observed delivering malware, or other software supply chain attack components. Software components that resolve dependencies from such locations are reported as malicious.
How to resolve the issueโ
- Review software component remote dependency locations.
- Consult Mitre ATT&CK documentation: T1195.001 - Supply Chain Compromise: Compromise Software Dependencies and Development Tools.
- If the software component resolves dependencies from unusual locations, investigate the build and release environment for software supply chain compromise.
- Consider vendoring the software component with all of its dependencies.
- Avoid using this software package until it is vetted as safe.
Incidence statisticsโ
ReversingLabs periodically collects and analyzes the contents of popular software package repositories for threat research purposes. Analysis results are used to calculate incidence statistics for issues (policy violations) that Spectra Assure can detect in software packages.
This section is updated when new data becomes available.
Total amount of packages analyzed
- Linux: 562K
- NPM: 5.12M
- Nuget: 735K
- PS Gallery: 17K
- PyPi: 838K
- RubyGems: 203K
- VS Code: 113K
- Windows: 3.7K
Recommended readingโ
- Supply Chain Compromise: Compromise Software Dependencies and Development Tools (External resource)