- npm (the Node.js package deal supervisor)
- pip (the Python package deal installer)
- git (a model management system)
- kubectl (a Kubernetes command-line instrument)
- terraform (an Infrastructure as Code instrument)
- gcloud (Google Cloud’s command-line interface)
- heroku (the Heroku command line interface)
- dotnet (the command line interface for .NET Core)
“Every of those instructions is broadly utilized in varied improvement environments, making them enticing targets for attackers trying to maximize the affect of their malicious packages,” says the report.
One other command jacking tactic has been dubbed “command wrapping.” As an alternative of changing a command, an attacker creates an entry level that acts as a wrapper across the authentic command. This stealthy method permits attackers to keep up long-term entry and probably exfiltrate delicate info with out elevating suspicion, says the report. Nevertheless, it provides, implementing command wrapping requires extra analysis by the attacker. They should perceive the right paths for the focused instructions on completely different working techniques and account for potential errors of their code. This complexity will increase with the range of techniques the assault targets.
A 3rd tactic can be creating malicious plugins for in style instruments and frameworks. For instance, if an attacker wished to focus on Python’s pytest testing framework, they’d create a plugin which seems to be a utility to assist in testing that makes use of pytest’s entry level. The plugin might then run malicious code within the background, or enable buggy or susceptible code to move high quality checks.