Cybersecurity researchers have uncovered vulnerabilities in multiple programming ecosystems—such as PyPI, npm, Ruby Gems, NuGet, Dart Pub, and Rust Crates—that could be exploited for software supply chain attacks.
“Attackers can exploit these entry points to execute malicious code when certain commands are triggered, creating a widespread threat in the open-source landscape,” noted Yehuda Gelb and Elad Rapaport from Checkmarx in a report shared with The Hacker News.
Checkmarx highlighted that entry-point attacks provide threat actors with a more covert and persistent way of infiltrating systems, often bypassing traditional security measures.
In languages like Python, entry points refer to mechanisms that allow developers to expose specific functionality as command-line tools (also known as console_scripts). They can also enable loading plugins to enhance a package’s capabilities.
While entry points significantly improve modularity, Checkmarx warned that the same feature could be weaponized to spread malicious code. This could be done through techniques such as command-jacking or deploying rogue plugins for popular tools and frameworks.
Command-jacking happens when counterfeit packages use entry points that mimic well-known third-party tools and commands (e.g., aws and docker). By doing so, they can steal sensitive data when developers install the package, even when it’s distributed as a .whl (wheel) file.
Commonly targeted third-party commands include npm, pip, git, kubectl, terraform, gcloud, heroku, and dotnet. Another form of command-jacking occurs when attackers use legitimate system command names (e.g., touch, curl, cd, ls, and mkdir) as entry points to hijack execution.
“The success of this method relies heavily on the PATH order,” the researchers explained. “If the directory with the malicious entry points is listed before system directories in the PATH, the malicious command will be executed instead of the legitimate one. This is especially common in development environments where local package directories are given priority.”
Additionally, Checkmarx identified a more discreet variant of command-jacking called command wrapping, where attackers create an entry point that acts as a wrapper around the original command, making it harder to detect.
What makes this technique particularly dangerous is its ability to execute malicious code silently while also running the original, legitimate command and delivering the expected results. This dual execution allows the attack to remain undetected.
“Since the legitimate command still functions normally, with its output and behavior intact, there’s no obvious indication of a breach, making it incredibly difficult to detect during regular usage,” the researchers explained. “This stealthy method enables attackers to maintain long-term access and potentially extract sensitive information without raising alarms.”
Another tactic in entry-point attacks involves developing malicious plugins and extensions for developer tools. These can grant attackers extensive access to the codebase, allowing them to alter program behavior or manipulate the testing process, making the code appear functional while hiding issues.
“Moving forward, it’s essential to implement robust security measures to address entry-point vulnerabilities,” the researchers advised. “By recognizing and mitigating these risks, we can create a more secure Python packaging ecosystem, protecting both developers and enterprise systems from advanced supply chain attacks.”
This warning follows Sonatype’s recent State of the Software Supply Chain report, which revealed that since November 2023, over 512,847 malicious packages have been detected in open-source ecosystems such as Java, JavaScript, Python, and .NET—representing a 156% year-over-year increase.
“Traditional security tools often miss these emerging threats, leaving developers and automated build systems highly exposed,” Sonatype stated. “As a result, we’re witnessing a new generation of supply chain attacks that directly target developers, bypassing conventional defenses.”
Source: TheHackerNews
