MCP Security Alert: MarkItDown, Archon OS, Kubectl MCP
Read the Latest Research
Open Software Supply Chain Attack Reference (OSC&R) > T0151 - Installation scripts

Realms:

Cloud Security Code Security Open Source Security

T0151 - Installation scripts

A package installation script injection attack is a type of security exploit that involves an attacker injecting malicious code into a legitimate software package installation script. The attack typically occurs when an attacker gains access to the distribution network of a software vendor or package manager, and injects malicious code into the package installation script. This code may be designed to carry out a range of nefarious activities, such as stealing sensitive information, creating backdoors, or executing arbitrary code on the victim's system. Once the victim downloads and installs the compromised software package, the injected code is executed, giving the attacker access to the victim's system.
ID: T0151
Type: Technique
Tactic: Execution
Summary: Installation scripts
State: Draft

Mitigations

ID
TYPE
SUMMARY
DESCRIPTION
M1500
Mitigation
Mitigation Verify third-party artifacts and open-source libraries Verify third-party artifacts used in code are trusted and have not been infected by a malicious actor before use.
This can be accomplished, for example, by comparing the checksum of the dependency to its checksum in a trusted source. If a difference arises, this may be a sign that someone interfered and added malicious code. If this dependency is used, it will infect the environment and could end in a massive breach, leaving the organization exposed to data leaks and more.
M1502
Mitigation
Mitigation Define trusted package managers and repositories When pulling a package by name, the package manager might look for it in several package registries, some of which may be untrusted or badly configured.
If the package is pulled from such a registry, there is a higher likelihood that it could prove malicious. In order to avoid this, configure packages to be pulled from trusted package registries.
M1503
Mitigation
Mitigation Implement SCA analysis Component Analysis is the process of identifying potential areas of risk from the use of third-party and open-source software and hardware components.
The best option for implementing SCA analysis is integration of SCA analysis tools into your CI/CD environment in order to scan your source code dependencies before the release.

Detections

ID
TYPE
SUMMARY
DESCRIPTION
D1510
Detection
Detection Implement Intrusion Detection System and anti-malware An intrusion detection system (IDS) is a security tool designed to detect and alert on unauthorized access to a computer system or network.
Implementing intrusion detection systems (IDS) and anti-malware software can help to identify and block malicious activity. IDS is a critical security tool that helps organizations to detect and respond to security incidents in a timely manner. By providing real-time monitoring and analysis of network traffic, IDS can help organizations to stay ahead of potential threats and reduce the risk of a security breach.

References

  1. https://www.fortinet.com/blog/threat-research/more-supply-chain-attacks-via-new-malicious-python-packages-in-pypi
  2. https://medium.com/checkmarx-security/the-skeleton-squad-tracing-the-origins-and-scope-of-5000-malicious-packages-on-pypi-7516c16e4da9
  3. https://medium.com/checkmarx-security/automatic-execution-of-code-upon-package-download-on-python-package-manager-cd6ed9e366a8
Group 1000004924

OSC&R Threat Report Uncovers Urgent Software Supply Chain Risks

AppSec teams are overwhelmed by useless alerts, managing numerous applications with vulnerabilities across various kill-chain stages, making them increasingly susceptible to successful attacks.
Download Report Download