What is Malicious Package Identification API (MPIAPI)?
Notice
This capability had previously been referred to as "Supply Chain Threat Intelligence".
Malicious package attacks are perpetrated by causing developers or automated systems to download and utilize open-source packages that contain malware. Unlike packages containing vulnerable code that may be exploited at a later time, these attacks are likely to cause data breaches and other types of severe harm immediately upon installation. Malicious Package Identification API (MPIAPI) makes it easy to integrate malicious package identification calls throughout the SDLC to prevent dangerous or suspicious open-source libraries from threatening your organization.
Any solution for identifying malicious packages can only be as effective as the database it uses. Checkmarx has established itself as a leader in this field, by maintaining the industry’s most comprehensive repository of malicious packages. To date, Checkmarx has identified more than 410,000 malicious packages across 92.8 million package versions.
MPIAPI is a product offered by Checkmarx that enables you to access our malicious package database in order to identify suspicious packages before they are introduced into your environment.
To use this tool, you simply submit an API call with a list of packages that you plan to use, and the API returns detailed info about any possible supply chain risks posed by any of those packages.
How We Detect Malicious Packages
Our extensive coverage is achieved through the combination of proprietary automated technologies that can scale to analyze the massive volume of packages published daily across multiple ecosystems (PyPI, npm, RubyGems, NuGet, Maven Central, etc.), and a dedicated AppSec research team that manually reviews each package before it is added to the database. Checkmarx identifies potential malicious packages of the following types:
Reputation - There is reason to suspect the credibility of the owner or contributors of the package, e.g., a newly created user is registered as the package owner.
Reliability - There are irregularities in the naming or maintenance patterns of the package, e.g., Typesquatting, or Chainjacking.
Behavior - The behaviors of the package are unsafe. The package may be malicious by design or it may inadvertently introduce risks into your project. This category includes packages that exfiltrate info about OSs, user credentials etc.
The following table shows some examples of supply chain risks of each type that are identified by Checkmarx MPIAPI.
Title | Description |
|---|---|
Reputation | |
New User | The owner of this package is a newly created user. |
Protestware | Software that includes functionality which aims to protest or raise an issue - learn more |
Repojacking | Taking over the repository of a legitimate package - learn more |
Account takeover | The compromise of a good maintainers account by an attacker which is then used to spread malicious packages - learn more |
Reliability | |
Dependency Confusion | This package introduces the risk of substituting a package from a public registry in place of a similarly named package in a private registry. For example, it uses private packages for which the namespace is unreserved on the public registry. learn more |
Typosquatting | This package mimics the name of a popular package, inducing users to inadvertently call this package. learn more |
StarJacking | There is a weak link between the package metadata and the referenced Git repository. learn more |
Chainjacking | This package is stored in a renamed GitHub repository, making it vulnerable to an attacker taking control of the repo and serving malicious code through the package. learn more |
Behavior | |
Harmful File Download | This package downloads a harmful file. |
Malicious Package | This package was manually inspected by a security researcher and flagged as being malicious by design. learn more |
Data Exfiltration | This package exfiltrates computer and operating system information. |
Data Exfiltration | This package exfiltrates stored credentials and sensitive information. |
Network Anomaly | This package sends information via DNS Tunneling, which exploits the highly trusted DNS protocol to tunnel malware and other data through a client-server model. |
Network Anomaly | This package communicates with a service (domain address) commonly used by attackers. |
Crypto Miner | This package executes crypto mining software. |
Examples
The following are some examples of suspicious packages with various types of risks that we have identified:
Package type | Package name | Version(s) | Attack vector used |
|---|---|---|---|
npm | node-ipc | 9.2.2 | Protestware |
npm | momnet | any | Typosquatting |
npm | ua-parser-js | 0.7.29 | Account Takeover |
npm | flow-dev-tools | any | Dependency Confusion |
rubygems | pretty_color | any | Typosquatting |
npm | zvkenxparfbmksjo | any | Cryptominer |
mvn | com.github.codingandcoding:mail-watcher-plugin | any | Typosquatting |
pypi | 10cent10 | any | Reverse Shell |
npm | easy-stack | any | At Risk due to correlation to risky maintainer |
go | github.com/maximabramchuck/awesome-interviews | any | Risk of Repojacking |
pypi | python-io-wrapper | any | Expired Email Domain |