By Prasanna Raghavendra, Senior Director, R&D at JFrog India
Indian businesses are adopting global technology innovation trends and harnessing enterprise applications to gain a competitive edge and maintain rapid progress. Over the years, India has achieved remarkable progress in technology and the digital economy. From advancing AI capabilities to embracing digital payments, 5G, and high-performance computing, India has emerged as a leading innovator on the global stage.
The country’s ongoing digital transformation (DX) adoption landscape is rapidly changing, with projected DX spending set to reach USD 23.6 billion by 2025 at a CAGR of 17 percent. Additionally, as businesses undergo a paradigm shift in their long-term strategic digital and resilience objectives, investments in DX technology are poised to experience further acceleration.
This hypergrowth demands rapid software development that is tightly integrated with security, faster deployment, as well as incremental updates. This is where DevOps comes into play, facilitating swift software delivery.
The growing reliance on software applications has led to an increased dependency on open-source software (OSS) libraries. While open-source software offers undeniable advantages, it also brings security challenges. OSS now constitutes a significant portion of all enterprise business-critical software in India, making it a prime target for cyber threats, with malicious actors exploiting vulnerabilities in software supply chains.
Developers have become the first line of defense against software supply chain attacks. Ideally, DevOps teams should proactively protect against high-risk packages before they infiltrate the organisation’s infrastructure. This necessitates early-stage analysis of open-source packages, aiming to block risky or malicious components at the point of request or update to safeguard the software ecosystem.
Emerging threat: Software package hijacking
Software package hijacking is a growing cybersecurity threat to digital native businesses in India, where legitimate software packages are injected with malicious code. Although challenging to execute, this method is highly effective due to the widespread use of these packages, resulting in a high infection rate. When a package hijacking incident is detected, package maintainers or public repository administrators work to remove the malicious version and publish a clean one, rendering the infected version inaccessible.
There are two primary types of software package hijacking:
1. External Package Hijacking: Typically carried out through unauthorised access to maintainers and developers, accounts, or by discreetly injecting hidden malicious code into legitimate code contributions to open-source projects. An example is the PyTorch library, a renowned Python machine-learning framework with more than 180 million downloads. In December 2022, PyTorch experienced a dependency hijacking attack directly targeting the machine learning (ML) developer community. The attacker successfully acquired PyTorch maintainer credentials and introduced a malicious dependency named torchtriton into the project. The malicious package garnered more than 3,000 downloads within just five days. The payload concealed within torchtriton exfiltrated sensitive information, including Secure Shell (SSH) keys and environment variables, sending them to the attacker’s server.
2. Self-Package Hijacking (Protestware): Software package hijacking isn’t limited to external malicious actors; developers and project maintainers themselves sometimes engage in this activity as a form of protest or advocacy for their beliefs. This form of hijacking, often referred to as protestware is a concerning trend because it can be difficult for an organisation to recognise it before it’s too late. Take, for instance, faker and Colors two npm packages highly favored by Node.js developers. In January 2022, the author intentionally sabotaged the packages to protest against large corporations that didn’t contribute to the open-source community. They sabotaged both packages by injecting an infinite loop into the code, effectively rendering thousands of projects that depended on these packages inoperable. It took two days to detect this malicious modification following the release of the tainted versions.
By making this single alteration to the package code, many Indian companies were impacted by the malicious code, facing significant disruptions to their products and development workflows.
Defense Strategy: Curate Before You Code
It’s not surprising that these hijacking methods have gained prominence in India in recent years, as up to 96% of applications contain at least one open-source component. As Indian developers collaborate on software production, there is one word they should become familiar with when it comes to securing the software development pipeline: Curation.
At a high level, the word Curation is defined as the act of thoughtfully selecting and organising items, a process typically associated with articles, images, music, and so on. In this case, however, the items being curated are open-source software components, acting as an automated lock to safeguard the gateway of the software pipeline. It entails filtering, tracking, and managing software packages based on preset policies to ensure the use of reliable components across the development lifecycle.
Curating software components streamline development by guaranteeing the safety, reliability, and current status of packages. The idea is to protect against both known and unknown risks through a comprehensive approach that strengthens the organisation’s software supply chain by establishing a trusted source of packages. Approved packages could then be cataloged for re-use, or to point.
As the concept of DevSecOps (development + security + operations) gains prominence in India, Curation serves as the initial defense, preventing package-related risks early in the software development process to improve alignment within the organisation and enhance the overall developer experience. Effectively curating software packages within the software supply chain provides peace of mind by offering secure building blocks for development teams.
Ultimately, software package hijacking is a growing concern in the Indian cybersecurity landscape as external actors and, in some cases, even developers themselves attack software packages to execute malicious code. Vigilance through proactive curation of software packages, improved security measures across the software supply chain, and rapid incident response are all essential in safeguarding the integrity of software packages upon which countless developers and organisations in India rely.
The integration of Curation and Catalog can play a major role as a crucial defense strategy against the escalating threat of software package hijacking. Indian organisations can streamline development processes, guarantee the safety of software components, and enhance the overall developer experience by leveraging both Curation and Catalog. This will help the organisations strike a balance between speed and security in the face of emerging cyber threats.
