Happening Again: Community-Maintained Software Repo Compromised

Packagist Repository Highjacked

Bleeping Computer recently reported that an anonymous researcher managed to gain control over fourteen packages on Packagist, a major registry commonly used by PHP developers for building websites and web applications. One of these packages had been installed more than 500 million times. Packagist, rather than hosting these packages directly, primarily serves as a metadata directory that collates open-source packages published on GitHub. Developers can then install these packages on their own machines and subsequently deploy them into production.

The anonymous researcher demonstrated that they had the ability to modify the Packagist pages associated with these packages. This was done by altering the directions on these pages to lead to the researcher’s own (fraudulent) repository, rather than the legitimate GitHub repository for each package. Thankfully, the Packagist team has since rectified these changes, so there is no immediate threat. They confirmed that the takeover had resulted from compromised maintainer account credentials. It was found that the researcher exploited some old accounts which had insecure passwords and lacked two-factor authentication.

Risks of Community-Maintained Software Repositories

This recent incident underscores the vulnerabilities inherent in community-maintained repositories, whether they’re repositories for software modules like the previously hijacked NuGet repository, or application repositories such as Winget and Chocolatey. IT professionals who rely on these community-maintained software repositories are at a significant risk of having malicious code infiltrate their systems.

Despite being cautious in choosing applications and modules, they are still susceptible to hijacking. Merely verifying repository metadata does not provide enough protection. For instance, download links for software packages can be manipulated or replaced to lead to malware, and installation scripts could be altered to set up delayed lateral movement opportunities, among other risks.

Private Software Repository Approach

Unlike other organizations, Action1 does not rely on any public software repositories, as we have adopted a ‘zero trust’ approach towards community-supported content. Our system for patching third-party applications, which include web browsers, desktop apps, utilities, and more, is managed by our dedicated in-house team. This team conducts thorough checks and tests on all updates to third-party applications as soon as they are released. This rigorous process is designed to ensure the integrity of these updates and to eliminate any potential risk that could compromise our customers’ systems.

Moreover, to prevent any compromise or hijacking by malicious actors, Action1 hosts all application packages internally and uses secure peer-to-peer software and patch distribution technology. This further ensures the security of the applications we deliver to our clients.

About Action1

Action1 provides a risk-based patch management solution for distributed work-from-anywhere organizations. Action1 helps to discover, prioritize, and remediate vulnerabilities in a single solution to prevent security breaches and ransomware attacks. It automates patching of third-party applications and OS, drivers, and firmware, ensuring continuous patch compliance and remediation of security vulnerabilities before they are exploited.