I've been interested in software supply chain security for some time now. This is the very early beginnings of my research in this space.
Some researchers have discovered and demonstrated how malicious 3rd party packages can be snuck in by different means.
For example, a bunch of NPM packages were removed from the pubic registry by the
author, which caused software builds across the world to fail. But, the problem
didn't end here. Some opportunistic malicious actors published modified versions
of these packages with identical names. When downloaded by developers, these
malicious packages would execute code controlled by the attackers, such as
exfiltrate data, run coin miners, create backdoored channels with C&C server, or
even rm -rf /
See my blog article on this for more details.
- Detonate untrusted package/code in a container
- Collect all syscall activities (e.g. read, write, network connections ...etc) inside the container
- Analyze data for suspicious or undesired behavior
- Ultimately, production software running inside containers can be limited to
only perform what it is allowed to perform via
seccomp,apparmor, or SE-Linux profiles
- Build docker image:
docker build -t node-tracer:latest -f Dockerfile.node . - Run docker container:
docker run --rm -v $PWD/strace:/strace node-tracer:latest -f -o node-tracer.strace npm install -g petermbenjamin - Examine content of strace file
React
Typescript
Django
Laravel
Facebook
Microsoft
Google
Alibaba
D3
Tencent