NCSC urges organizations to shore up supply chain security practices
With attackers increasingly compromising open source packages to spread malware, organizations need to be on their guard
The National Cyber Security Centre (NCSC) has urged organizations to review their dependencies in light of an increasing number of supply chain attacks.
Recent attacks, the agency noted, have included maintainer account compromise, where attackers steal credentials or tokens that allow a malicious actor to update a trusted package.
Attackers are also taking over ownership of expired domains connected to package maintainers, or otherwise transferring ownership of a previously legitimate package.
Meanwhile, typosquatting is on the rise, with packages published using similar names to the genuine article, or with the misspelling of popular legitimate packages in the hope they are installed by mistake.
Threat actors are also using credentials or tokens stolen from a previous attack to access or modify additional packages.
These risks arise because one single application may rely on a large number of third-party packages – including libraries, frameworks, snippets, software development kits - some of which may not be entirely trustworthy.
Node.js, Rust and Python, for example, are unusually exposed as they have minimal standard libraries, boosting the use of third-party dependencies and delegation of basic functionalities, and leading to a heavy reliance on external registries.
Many of these components are retrieved automatically through continuous integration and continuous delivery (CI/CD) pipelines, often without human intervention.
"It is this combination of automation, trust and scale which means that malicious code introduced into a single package can spread rapidly across many organisations and services before detection," the NCSC warned.
The NCSC warned that threat groups are actively targeting developer environments, which are usually less tightly controlled than managed corporate devices, making it easier to compromise and steal the credentials of shared code or package registries.
A single malicious package can spread quickly across downstream software products and services. Indeed, the impact of compromising a lesser known, but critical, software component can have a significant and far-reaching impact for many organizations and systems.
The NCSC highlighted Node.js in particular, as its highly modular packages depend on many smaller components.
CI/CD threats are rising
Meanwhile, recent attacks have exploited the implicit trust in CI/CD and automation pipelines, where the automation of updates, installation, and execution of scripts and packages allows attackers to execute malicious code.
"For example, Node.js and Python support scripts that execute on installation, and allow a malicious package to be run immediately. Without human intervention or approval, the code can simply propagate," the NCSC warned.
Open publishing models increase exposure, with security controls for maintainer registry accounts not currently enforced by all registry providers.
Check your dependencies
The NCSC outlined a series of actions organizations are advised to take, including:
- Pause automatic dependency updates where compromise may be present
- Review and approve new updates, dependencies, or versions manually
- Rotate exposed or potentially exposed credentials
- Enforce MFA for developer and package registry accounts
- Use private or trusted registries where appropriate
"These attacks highlight the need to revisit how dependencies are introduced and managed, as part of a secure development lifecycle (SDLC)," the NCSC said.
"Whilst Node.js, Python and Rust are considered higher risk for these attacks, it’s important to be aware that other languages, tools, and package repositories are also at risk."
Developers should also make use of the Software Security Code of Practice, reviewing how dependencies are introduced and updated, avoiding automatically adopting new dependency versions without review, and striking a balance between deploying patches quickly and updating dependencies slowly.
This will help minimize the potential impact of compromise, according to the NCSC.
Elsewhere, they should also ensure deployments occur through controlled CI/CD pipelines rather than developer devices and store sensitive credentials securely, avoiding exposure on developer workstations.
"Modern software development has transformed how software is created, shared and reused – but recent attacks on these tools highlight the rapidly growing risks of using modern software ecosystems," the NCSC said.
"Whilst Node.js, Python and Rust are considered higher risk for these attacks, it’s important to be aware that other languages, tools, and package repositories are also at risk."
FOLLOW US ON SOCIAL MEDIA
Follow ITPro on Google News and add us as a preferred source to keep tabs on all our latest news, analysis, views, and reviews.
You can also follow ITPro on LinkedIn, X, Facebook, and BlueSky.
-
A ‘perfect storm’: NCSC chief issues warning over quantum threats, nation-state hackers, and the dangers of global ‘hacktivism’News NCSC CEO Richard Horne says nation-state attacks, AI and the looming quantum threat require stronger global collaboration
-
The NCSC says it’s time to switch to passkeysNews UK security organization calls for companies to step up and offer more secure ways to login
-
NCSC issues alert over Russian hacker campaign targeting SOHO routersNews The APT28 group has exploited vulnerable internet routers to covertly reroute internet traffic through malicious servers
-
NCSC names and shames pro-Russia hacktivist group amid escalating DDoS attacks on UK public services
News Russia-linked hacktivists are increasingly trying to cause chaos for UK organizations
-
The NCSC touts honeypots and ‘cyber deception’ tactics as the key to combating hackers — but they could ‘lead to a false sense of security’News Trials to test the real-world effectiveness of cyber deception solutions have produced positive results so far
-
Government urges large enterprises to shore up defenses as NCSC warns UK faces four 'nationally significant' cyber attacks every weekNews UK enterprises of all sizes face escalating cybersecurity threats, ministers have warned
-
Industry welcomes the NCSC’s new Vulnerability Research Initiative – but does it go far enough?News The cybersecurity agency will work with external researchers to uncover potential security holes in hardware and software
-
‘States don’t do hacking for fun’: NCSC expert urges businesses to follow geopolitics as defensive strategyNews Paul Chichester, director of operations at the UK’s National Cyber Security Centre, urged businesses to keep closer tabs on geopolitical events to gauge potential cyber threats.
