Software program provide chain assaults the place assault teams are tricking software program builders into integrating malicious open supply parts into their purposes are on the rise. To assist builders establish malicious packages, Checkmarx has launched Provide Chain Risk Intelligence, an API that delivers detailed risk intelligence on a whole lot of 1000’s of malicious packages, contributor fame, and malicious conduct.
Checkmarx says it identifies malicious packages by assault sort, corresponding to dependency confusion, typosquatting, and chainjacking. And contributor fame is calculated by analyzing anomalous exercise inside packages.
Provide Chain Risk Intelligence relies on risk intelligence analysis by Checkmarx Labs and contains the 150,878 malicious packages the group found in 2022, the corporate says. Checkmarx then employs machine studying, retro-hunting, and cross-language searching to establish rising threats. The corporate additionally makes use of static and dynamic evaluation to know how the code within the bundle runs.
Safety works greatest when it’s a part of the developer workflow. Checkmarx says Provide Chain Risk Intelligence integrates with broadly used developer instruments and environments. The developer obtains a novel token from Checkmarx, sends in a bundle identify and its model quantity, and receives risk intelligence on the specified bundle. The developer then has data on what the bundle does, whether or not the bundle is taken into account malicious, and the fame of the developer related to the bundle.
Reporting packages do not cease assault teams, as they create new sock-puppet accounts and proceed publishing them, Checkmarx says. The corporate maintains an information lake of all of the packages scanned in order that the workforce can proceed analyzing them even after they’ve been deleted from bundle managers, the corporate says. This can assist hyperlink a number of packages to the identical risk actor or uncover patterns over time.