CAPEC-693: StarJacking

Description
<p>An adversary spoofs software popularity metadata to deceive users into believing that a maliciously provided package is widely used and originates from a trusted source.<p>
Extended Description

Many open-source software packages are hosted via third-party package managers (e.g., Node Package Manager, PyPi, Yarn, etc.) that allow for easy integration of software components into existing development environments. A package manager will typically include various metadata about the software and often include a link to the package's source code repository, to assist developers in determining the trustworthiness of the software. One common statistic used in this decision-making process is the popularity of the package. This entails checking the amount of "Stars" the package has received, which the package manager displays based on the provided source code repository URL. However, many package managers do not validate the connection between the package and source code repository being provided. Adversaries can thus spoof the popularity statistic of a malicious package by associating a popular source code repository URL with the package. This can ultimately trick developers into unintentionally incorporating the malicious package into their development environment.

Severity :

High

Possibility :

Medium

Type :

Detailed
Relationships with other CAPECs

This table shows the other attack patterns and high level categories that are related to this attack pattern.

Prerequisites

This table shows the other attack patterns and high level categories that are related to this attack pattern.

  • Identification of a popular open-source package whose popularity metadata is to be used for the malicious package.
Skills required

This table shows the other attack patterns and high level categories that are related to this attack pattern.

  • Low Ability to provide a package to a package manager and associate a popular package's source code repository URL.
Taxonomy mappings

Mappings to ATT&CK, OWASP and other frameworks.

Related CWE

A Related Weakness relationship associates a weakness with this attack pattern. Each association implies a weakness that must exist for a given attack to be successful.

Visit http://capec.mitre.org/ for more details.

© cvefeed.io
Latest DB Update: Nov. 05, 2024 5:29