Research
Security News
Quasar RAT Disguised as an npm Package for Detecting Vulnerabilities in Ethereum Smart Contracts
Socket researchers uncover a malicious npm package posing as a tool for detecting vulnerabilities in Etherium smart contracts.
Security News
Sarah Gooding
March 7, 2024
The Cybersecurity and Infrastructure Security Agency (CISA), the U.S.’ lead cyber defense agency, is collaborating with the open source ecosystem on new initiatives to secure the critical infrastructure that powers modern digital life. CISA’s March 5-6 Open Source Software Security Summit included representatives from open source foundations, package repositories, civil society, industry and federal agencies.
CISA Director Jen Easterly delivered the opening remarks, acknowledging the value of OSS to the economy and its potential for exploitation:
A recent Harvard study estimated that open source software has generated over eight trillion dollars in value to our society. That level of impact is astonishing, and the continued growth and successes of this movement are a testament to the underlying logics of open source that inherently promote and reward innovation and collaboration. This would not be possible without your tireless efforts to ensure that open source software is scaled in secure and sustainable ways.
We at CISA are particularly focused on OSS security because, as everyone here knows, the vast majority of our critical infrastructure relies on open source software. And while the Log4Shell vulnerability might have been a big wakeup call for many in government, it demonstrated what this community has known and warned about for years: due to its widespread deployment, the exploitation of OSS vulnerabilities becomes more impactful.
CISA is also working towards establishing voluntary collaboration and cyber defense information sharing with OSS communities for the purpose of preventing these types of supply chain attacks.
Package registries were one of the main focuses of the summit, following CISA’s publication of the Principles for Package Repository Security framework in partnership with the Open Source Security Foundation (OpenSSF). This document, which is still being refined, offers a set of best practices recommended for package registries. It includes voluntary security measures and levels of maturity for package repositories, summarized in this list:
These security measures apply to the registries in different ways, as some do not have user accounts or do builds on behalf of users, for example.
Five of the most widely used package registries have agreed to take steps towards securing their operations, guided by this new 'Principles for Package Repository Security" framework. This includes the following:
CISA Director Jen Easterly spoke about the government’s role in supporting OSS security efforts during his opening remarks, stating that CISA does not seek to control or regulate the open source community.
“Instead, our goal is to show up, as a community member, and steer our resources in ways that can help support secure by design open source software development practices and encourage its responsible usage,” Easterly said. “The federal government is one of the biggest users of open source software in the world; it only makes sense that it makes the requisite contributions back to the OSS community.“
This initiative is a positive sign that the US government is recognizing the increasing threats facing software supply chains at the package registry level, and is approaching these registries like a public good. CISA is taking a supportive stance that respects the autonomy and community-driven nature of open source development, rather than imposing regulation. This is crucial for maintaining the collaborative spirit that drives OSS.
“As we know, package repositories are uniquely positioned to improve the overall security posture of open source software in a way that benefits all users,” Easterly said. “At the same time, we recognize that these package repositories are so often resource constrained. My hope is that this summit will help foster discussion on how best to prioritize and support security improvements to this critical component in OSS supply chains.”
Subscribe to our newsletter
Get notified when we publish new security blog posts!
Try it now
Research
Security News
Socket researchers uncover a malicious npm package posing as a tool for detecting vulnerabilities in Etherium smart contracts.
Security News
Research
A supply chain attack on Rspack's npm packages injected cryptomining malware, potentially impacting thousands of developers.
Research
Security News
Socket researchers discovered a malware campaign on npm delivering the Skuld infostealer via typosquatted packages, exposing sensitive data.