{'xhtml:p': 'An adversary spoofs open-source software metadata in an attempt to masquerade malicious software as popular, maintained, and trusted.'}
Description
Mitigations
7
After Downloading Open-Source Software, Ensure Integrity Values Have Not Changed.
Before Downloading Open-Source Software, Perform Precursory Metadata Checks To Determine The Author(S), Frequency Of Updates, When The Software Was Last Updated, And If The Software Is Widely Leveraged.
Before Executing Or Incorporating The Software, Leverage Automated Testing Techniques (E.G., Static And Dynamic Analysis) To Determine If The Software Behaves Maliciously.
Only Download Open-Source Software From Reputable Hosting Sites Or Package Managers.
Only Download Open-Source Software That Has Been Adequately Signed By The Developer(S). For Repository Commits/Tags, Look For The "Verified" Status And For Developers Leveraging "Vigilant Mode" (Github) Or Similar Modes.
Reference Vulnerability Databases To Determine If The Software Contains Known Vulnerabilities.
Within Package Managers, Look For Conflicting Or Non-Unique Repository References To Determine If Multiple Packages Share The Same Repository Reference.
Consequences
Security Scopes Affected
Access Control
Accountability
Authorization
Integrity
Potential Impacts
Alter Execution Logic
Execute Unauthorized Commands
Gain Privileges
Hide Activities
Modify Data
Relationships
Parent CAPECs
Related CAPECs
Related ATT&CK Techniques
2
T1195.001
Compromise Software Dependencies and Development Tools
Adversaries may manipulate software dependencies and development tools prior to receipt by a final consumer for the purpose of data …
T1195.002
Compromise Software Supply Chain
Adversaries may manipulate application software prior to receipt by a final consumer for the purpose of data or system compromise. …