Risk Explorer

for Software Supply Chains



This page presents a taxonomy of known attacks and techniques to inject malicious code into open-source software projects.
A so-called attack tree is used to organize those techniques hierarchically, starting from the abstract, top-level goal down to alternative and more concrete attack techniques.
This information has been compiled on the basis of numerous real-world incidents, i.e. actual attacks and vulnerabilities, as well as plausible proof-of-concepts and scientific literature.
The page also documents safeguards to fully or partially mitigate the different attack techniques, thereby referencing existing standards and frameworks.

Subvert Legitimate PackageCreate Name Confusion with Legitimate PackageDevelop and Advertise Distinct Malicious Package from ScratchConduct Open-Source Supply Chain AttackInfect through Malicious ComponentExploit VulnerabilitiesExploit Weak ConfigurationCompromise Hosting SystemReuse of Existing SessionSocial Engineering to Obtain CredentialsReuse of Leaked API TokensBruteforceReuse of Compromised CredentialsTake-over Legitimate AccountBribe or Blackmail Legitimate UserCompromise User (Project Maintainer/Administrator)Inject into Hosting SystemInfect through Malicious ComponentExploit VulnerabilitiesExploit Weak ConfigurationCompromise Maintainer SystemBecome a MaintainerReuse of Existing SessionSocial Engineering to Obtain CredentialsReuse of Leaked API TokensBruteforceReuse of Compromised CredentialsTake-over Legitimate AccountBribe or Blackmail Legitimate UserDistribute as Package MaintainerPrevent Update to Non-Vulnerable VersionAbuse Dependency Resolution MechanismTamper Legitimate URLDNS Cache PoisoningMITM AttackMask Legitimate PackageDangling ReferenceDistribute Malicious Version of Legitimate PackageInfect through Malicious ComponentExploit VulnerabilitiesExploit Weak ConfigurationCompromise Build SystemReuse of Existing SessionSocial Engineering to Obtain CredentialsReuse of Leaked API TokensBruteforceReuse of Compromised CredentialsTake-over Legitimate AccountBribe or Blackmail Legitimate UserCompromise User (Project Maintainer/Administrator)Tamper with Exposed Build SystemInfect through Malicious ComponentExploit VulnerabilitiesExploit Weak ConfigurationCompromise Maintainer SystemBecome a MaintainerReuse of Existing SessionSocial Engineering to Obtain CredentialsReuse of Leaked API TokensBruteforceReuse of Compromised CredentialsTake-over Legitimate AccountBribe or Blackmail Legitimate UserTamper Build Job as MaintainerRun Malicious BuildInject During the Build of Legitimate PackageInfect through Malicious ComponentExploit VulnerabilitiesExploit Weak ConfigurationCompromise Version Control SystemReuse of Existing SessionSocial Engineering to Obtain CredentialsReuse of Leaked API TokensBruteforceReuse of Compromised CredentialsTake-over Legitimate AccountBribe or Blackmail Legitimate UserCompromise User (Project Maintainer/Administrator)Tamper with Version Control SystemInfect through Malicious ComponentExploit VulnerabilitiesExploit Weak ConfigurationCompromise Maintainer SystemBecome a MaintainerReuse of Existing SessionSocial Engineering to Obtain CredentialsReuse of Leaked API TokensBruteforceReuse of Compromised CredentialsTake-over Legitimate AccountBribe or Blackmail Legitimate UserContribute as MaintainerHide in Generated/Compiled/Minified CodePrevent Display of File DifferencesUse HomoglyphsExploit Unicode Bidirectional AlgorithmExploit Rendering WeaknessMake Immature Vulnerability ExploitableIntroduce Malicious Code through Hypocrite Merge RequestInject into Sources of Legitimate PackageSimilarity AttackBrandjackingBuilt-In PackageTyposquattingManipulating Word SeparatorsAltering Word OrderCombosquatting

Why

We found that existing works on open-source supply chain security lack a comprehensive, comprehensible, and general description of how attackers inject malicious code into open-source projects, linked to real-world incidents and independent of specific programming languages, ecosystems, technologies and stakeholders.

We believe a taxonomy classifying such attacks is of value for both academia and industry. Serving as a common reference and clarifying terminology, it could support several activities, e.g. awareness-raising, safeguard development, pentest scoping or threat modeling.

How to Use

Explore the taxonomy with help of the visualization tool:
Single-click on a node to expand or collapse it, and to show associated information like its description, references, associated examples and related countermeasures.

Explore the Attack Tree

Read about the open-source supply chain model (stakeholders, systems and interactions)

Contribute

The data model underlying the visualization comprises attack vectors, safeguards and references, all associated to one another.

Read about the JSON files and their structure

Create pull requests to add real-life examples or other improvements

Copyright (c) 2022 SAP SE or an SAP affiliate company and Risk Explorer for Software Supply Chains contributors

This project is partially funded by the EU Horizon 2020 projects SPARTA (Grant Agreement No. 830892) and AssureMOSS (Grant Agreement No. 952647)