CAPEC-693

StarJacking
Média
Alta
Stable
2022-09-29
00h00 +00:00
CAPEC Mitre.org
Alerta para um CAPEC
Fique informado sobre quaisquer alterações para um CAPEC específico.
Gerenciar notificações

Informações CAPEC

Fluxo de Execução

1) Explore

[Identify target] The adversary must first identify a target package whose popularity statistics will be leveraged. This will be a popular and widely used package, as to increase the perceived pedigree of the malicious package.

2) Experiment

[Spoof package popularity] The adversary provides their malicious package to a package manager and uses the source code repository URL identified in Step 1 to spoof the popularity of the package. This malicious package may also closely resemble the legitimate package whose statistics are being utilized.

3) Exploit

[Exploit victims] The adversary infiltrates development environments with the goal of conducting additional attacks.

Técnica
  • Active: The adversary attempts to trick victims into downloading the malicious package by means such as phishing and social engineering.
  • Passive: The adversary waits for victims to download and leverage the malicious package.

Pré-requisitos

Identification of a popular open-source package whose popularity metadata is to be used for the malicious package.

Habilidades Necessárias

Ability to provide a package to a package manager and associate a popular package's source code repository URL.

Mitigações

Before downloading open-source packages, perform precursory metadata checks to determine the author(s), frequency of updates, when the software was last updated, and if the software is widely leveraged.
Look for conflicting or non-unique repository references to determine if multiple packages share the same repository reference.
Reference vulnerability databases to determine if the software contains known vulnerabilities.
Only download open-source packages from reputable package managers.
After downloading open-source packages, ensure integrity values have not changed.
Before executing or incorporating the package, leverage automated testing techniques (e.g., static and dynamic analysis) to determine if the software behaves maliciously.

Fraquezas Relacionadas

CWE-ID Nome da Fraqueza

CWE-494

 Download of Code Without Integrity Check
The product downloads source code or an executable from a remote location and executes the code without sufficiently verifying the origin and integrity of the code.

Referências

REF-721

StarJacking – Making Your New Open Source Package Popular in a Snap
Tzachi Zornstein.
https://checkmarx.com/blog/starjacking-making-your-new-open-source-package-popular-in-a-snap/

Submissão

Nome Organização Data Data de lançamento
CAPEC Content Team The MITRE Corporation 2022-09-29 +00:00
As informações apresentadas no CVE Find originam-se de várias fontes de referência cuidadosamente selecionadas. Os dados CVE são fornecidos pela MITRE Corporation e pelo National Vulnerability Database (NVD). O catálogo de Vulnerabilidades Conhecidas Exploradas (KEV) é proveniente da Cybersecurity and Infrastructure Security Agency (CISA), enquanto as pontuações EPSS vêm do FIRST.org. Além disso, os dados sobre fraquezas de software (CWE) e padrões de ataque comuns (CAPEC) são mantidos pela MITRE Corporation, e as informações sobre configurações de hardware e software (CPE) são fornecidas pelo NVD.