New or existing attack vector "Omit scope/namespace"

SAP / risk-explorer-for-software-supply-chains

A taxonomy of attacks on software supply chains in the form of an attack tree, based on and linked to numerous real-world incidents and other resources. The taxonomy as well as related safeguards can be explored using an interactive visualization tool.

https://sap.github.io/risk-explorer-for-software-supply-chains/

Apache License 2.0

71 stars 14 forks source link

New or existing attack vector "Omit scope/namespace" #26

Closed henrikplate closed 2 years ago

henrikplate commented 2 years ago

Suppose a legitimate npm package @foo/bar, attackers can deploy a malicious package bar to trick users. This could also work in other ecosystems having scopes or namespaces.

piergiorgioladisa commented 2 years ago

Indeed this was the case of the Java samples from Backstabber's Knife Dataset (e.g., maven-compiler-plugin@3.9.0). I am in doubt whether to create a new attack vector or add this case to Brandjacking (as you said), thus extending the definition of the latter. I am more in favor of this last option.

henrikplate commented 2 years ago

Alright, let's broaden the definition of brandjacking to also cover this case. So far, its idea was to add a well-known prefix to a non-existing package, e.g., aws-foo. In the future, it would also cover publishing a package with an existing name but without the scope (brand).

henrikplate commented 2 years ago

I changed my mind and propose a new attack vector "Omitting Scope or Namespace", see #29. The reason is that this is not really about company brands, the omitted scope or namespace could be anything.