Papers
Topics
Authors
Recent
Assistant
AI Research Assistant
Well-researched responses based on relevant abstracts and paper content.
Custom Instructions Pro
Preferences or requirements that you'd like Emergent Mind to consider when generating responses.
Gemini 2.5 Flash
Gemini 2.5 Flash 63 tok/s
Gemini 2.5 Pro 48 tok/s Pro
GPT-5 Medium 32 tok/s Pro
GPT-5 High 29 tok/s Pro
GPT-4o 88 tok/s Pro
Kimi K2 152 tok/s Pro
GPT OSS 120B 325 tok/s Pro
Claude Sonnet 4.5 32 tok/s Pro
2000 character limit reached

DevPhish: Exploring Social Engineering in Software Supply Chain Attacks on Developers (2402.18401v3)

Published 28 Feb 2024 in cs.SE and cs.CR

Abstract: The Software Supply Chain (SSC) has captured considerable attention from attackers seeking to infiltrate systems and undermine organizations. There is evidence indicating that adversaries utilize Social Engineering (SocE) techniques specifically aimed at software developers. That is, they interact with developers at critical steps in the Software Development Life Cycle (SDLC), such as accessing Github repositories, incorporating code dependencies, and obtaining approval for Pull Requests (PR) to introduce malicious code. This paper aims to comprehensively explore the existing and emerging SocE tactics employed by adversaries to trick Software Engineers (SWEs) into delivering malicious software. By analyzing a diverse range of resources, which encompass established academic literature and real-world incidents, the paper systematically presents an overview of these manipulative strategies within the realm of the SSC. Such insights prove highly beneficial for threat modeling and security gap analysis.

Definition Search Book Streamline Icon: https://streamlinehq.com
References (47)
  1. “HackTask,” https://github.com/cncf/tag-security/blob/main/supply-chain-security/compromises/2017/hacktask.md, 2017, [Online; accessed 13-August-2023].
  2. “CCleaner Attack Timeline—Here’s How Hackers Infected 2.3 Million PCs,” https://thehackernews.com/2018/04/ccleaner-malware-attack.html, 2018, [Online; accessed 27-June-2023].
  3. “Colourama,” https://github.com/cncf/tag-security/blob/main/supply-chain-security/compromises/2018/colourama.md, 2018, [Online; accessed 13-August-2023].
  4. “Details about the event-stream incident,” https://blog.npmjs.org/post/180565383195/details-about-the-event-stream-incident , 2018, [Online; accessed 13-August-2023].
  5. (2018) Statcounter analytics code hijacked to steal bitcoins from cryptocurrency users. [Online]. Available: https://thehackernews.com/2018/11/statcounter-cryptocurrency-cyberattack.html
  6. “The event-stream vulnerability,” https://github.com/cncf/tag-security/blob/main/, 2018, [Online; accessed 13-August-2023].
  7. “Malicious remote code execution backdoor discovered in the popular bootstrap-sass Ruby gem,” https://snyk.io/blog/malicious-remote-code-execution-backdoor-discovered-in-the-popular-bootstrap-sass-ruby-gem/, 2019, [Online; accessed 13-August-2023].
  8. “Plot to steal cryptocurrency foiled by the npm security team,” https://blog.npmjs.org/post/185397814280/plot-to-steal-cryptocurrency-foiled-by-the-npm, 2019, [Online; accessed 13-August-2023].
  9. “SIMBAD: A ROGUE ADWARE CAMPAIGN ON GOOGLE PLAY,” https://research.checkpoint.com/2019/simbad-a-rogue-adware-campaign-on-google-play/, 2019, [Online; accessed 13-August-2023].
  10. “Why npm lockfiles can be a security blindspot for injecting malicious modules,” https://snyk.io/blog/why-npm-lockfiles-can-be-a-security-blindspot-for-injecting-malicious-modules/, 2019, [Online; accessed 13-August-2023].
  11. “XCodeGhost,” https://github.com/cncf/tag-security/blob/main/supply-chain-security/compromises/2015/xcodeghost.md, 2019, [Online; accessed 13-August-2023].
  12. “Four npm packages found uploading user details on a GitHub page,” https://www.zdnet.com/article/four-npm-packages-found-uploading-user-details-on-a-github-page/, 2020, [Online; accessed 13-August-2023].
  13. “Malicious npm package opens backdoors on programmers’ computers,” https://www.zdnet.com/article/malicious-npm-package-opens-backdoors-on-programmers-computers/, 2020, [Online; accessed 13-August-2023].
  14. “Malicious npm packages caught installing remote access trojans,” https://www.zdnet.com/article/malicious-npm-packages-caught-installing-remote-access-trojans/, 2020, [Online; accessed 13-August-2023].
  15. “Over 700 Malicious Typosquatted Libraries Found On RubyGems Repository,” https://thehackernews.com/2020/04/rubygem-typosquatting-malware.html, 2020, [Online; accessed 13-August-2023].
  16. “Three npm packages found opening shells on Linux, Windows systems,” https://www.zdnet.com/article/three-npm-packages-found-opening-shells-on-linux-windows-systems/ , 2020, [Online; accessed 13-August-2023].
  17. “Beware the Package Typosquatting Supply Chain Attack,” https://www.darkreading.com/vulnerabilities-threats/beware-the-package-typosquatting-supply-chain-attack, 2021, [Online; accessed 13-August-2023].
  18. “Beware the Package Typosquatting Supply Chain Attack,” https://www.thestack.technology/github-supply-chain-attack-clones/, 2021, [Online; accessed 13-August-2023].
  19. “Compromise of NPM package ua-parser-js,” https://github.com/cncf/tag-security/blob/main/supply-chain-security/compromises/2021/ua-parser-js.md, 2021, [Online; accessed 13-August-2023].
  20. “Damaging Linux and Mac Malware Bundled Within Browserify npm Brandjack Attempt,” https://blog.sonatype.com/damaging-linux-mac-malware-bundled-within-browserify-npm-brandjack-attempt, 2021, [Online; accessed 13-August-2023].
  21. “Finding Evil Go Packages,” https://michenriksen.com/blog/finding-evil-go-packages/, 2021, [Online; accessed 13-August-2023].
  22. “JFrog Detects Malicious PyPI Packages Stealing Credit Cards and Injecting Code,” https://jfrog.com/blog/malicious-pypi-packages-stealing-credit-cards-injecting-code/, 2021, [Online; accessed 13-August-2023].
  23. “Kaseya Supply Chain Attack Targeting MSPs to Deliver REvil Ransomware,” https://www.truesec.com/hub/blog/kaseya-supply-chain-attack-targeting-msps-to-deliver-revil-ransomware, 2021, [Online; accessed 13-August-2023].
  24. “Malicious Open Source: the cost of using someone else’s code,” https://avleonov.com/2022/05/11/malicious-open-source-the-cost-of-using-someone-elses-code/, 2021, [Online; accessed 13-August-2023].
  25. “PHP’s Git server hacked to add backdoors to PHP source code,” https://www.bleepingcomputer.com/news/security/phps-git-server-hacked-to-add-backdoors-to-php-source-code/, 2021, [Online; accessed 13-August-2023].
  26. “Popular Codecov code coverage tool hacked to steal dev credentials,” https://www.bleepingcomputer.com/news/security/popular-codecov-code-coverage-tool-hacked-to-steal-dev-credentials/, 2021, [Online; accessed 13-August-2023].
  27. “Sonatype Catches New PyPI Cryptomining Malware,” https://blog.sonatype.com/sonatype-catches-new-pypi-cryptomining-malware-via-automated-detection, 2021, [Online; accessed 13-August-2023].
  28. “Dropbox hacker steals 130 GitHub repositories,” https://github.com/cncf/tag-security/blob/main/supply-chain-security/compromises/2022/dropbox-github-account-breach.md, 2022, [Online; accessed 13-August-2023].
  29. “Phishing Campaign Targets PyPI Users to Distribute Malicious Code,” https://www.darkreading.com/cloud/phishing-campaign-targets-pypi-users-to-distribute-malicious-code, 2022, [Online; accessed 13-August-2023].
  30. “Security alert: new phishing campaign targets GitHub users,” https://github.blog/2022-09-21-security-alert-new-phishing-campaign-targets-github-users/, 2022, [Online; accessed 13-August-2023].
  31. (2023) 3cx software supply chain compromise initiated by a prior software supply chain compromise; suspected north korean actor responsible. [Online]. Available: https://www.mandiant.com/resources/blog/3cx-software-supply-chain-compromise
  32. (2023) Common oss supply chain threats. [Online]. Available: https://github.com/ossf/s2c2f/blob/main/specification/framework.md#common-oss-supply-chain-threats
  33. “Fake zero-day PoC exploits on GitHub push Windows, Linux malware,” https://www.bleepingcomputer.com/news/security/fake-zero-day-poc-exploits-on-github-push-windows-linux-malware/, 2023, [Online; accessed 13-August-2023].
  34. (2023) Generating provenance statements. [Online]. Available: https://docs.npmjs.com/generating-provenance-statements
  35. “NPM Package mathjs-min Contains Credential Stealer,” https://github.com/cncf/tag-security/blob/main/supply-chain-security/compromises/2023/mathjs-min.md, 2023, [Online; accessed 13-August-2023].
  36. (2023) [security update] june 20 incident details and remediation. [Online]. Available: https://jumpcloud.com/blog/security-update-june-20-incident-details-and-remediation
  37. (2023) Sigstore. [Online]. Available: https://www.sigstore.dev/
  38. “SolarWinds hack explained: Everything you need to know,” https://www.techtarget.com/whatis/feature/SolarWinds-hack-explained-Everything-you-need-to-know, 2023, [Online; accessed 13-August-2023].
  39. (2023) Supply chain levels for software artifacts, or slsa (salsa). [Online]. Available: https://slsa.dev
  40. “Takeaways from the CircleCI Incident,” https://perception-point.io/blog/takeaways-from-the-circleci-incident, 2023, [Online; accessed 13-August-2023].
  41. D. Gonzalez, T. Zimmermann, P. Godefroid, and M. Schäfer, “Anomalicious: Automated detection of anomalous and potentially malicious commits on github,” in 2021 IEEE/ACM 43rd International Conference on Software Engineering: Software Engineering in Practice (ICSE-SEIP).   IEEE, 2021, pp. 258–267.
  42. R. Hiesgen, M. Nawrocki, T. C. Schmidt, and M. Wählisch, “The race to the vulnerable: Measuring the log4j shell incident,” arXiv preprint arXiv:2205.02544, 2022.
  43. P. Ladisa, H. Plate, M. Martinez, and O. Barais, “Sok: Taxonomy of attacks on open-source software supply chains,” in 2023 IEEE Symposium on Security and Privacy (SP).   IEEE, 2023, pp. 1509–1526.
  44. S. Maple, “Synk security blog,” https://snyk.io/blog/yet-another-malicious-package-found-in-npm-targeting-cryptocurrency-wallets/, 2019, [Online; accessed 26-July-2023].
  45. M. Ohm, H. Plate, A. Sykosch, and M. Meier, “Backstabber’s knife collection: A review of open source software supply chain attacks,” in Detection of Intrusions and Malware, and Vulnerability Assessment: 17th International Conference, DIMVA 2020, Lisbon, Portugal, June 24–26, 2020, Proceedings 17.   Springer, 2020, pp. 23–43.
  46. M. Verdi, A. Sami, J. Akhondali, F. Khomh, G. Uddin, and A. K. Motlagh, “An empirical study of c++ vulnerabilities in crowd-sourced code examples,” IEEE Transactions on Software Engineering, vol. 48, no. 5, pp. 1497–1514, 2020.
  47. Q. Wu and K. Lu, “On the feasibility of stealthily introducing vulnerabilities in open-source software via hypocrite commits,” Proc. Oakland, 2021.

Summary

We haven't generated a summary for this paper yet.

Ai Sparkles Streamline Icon: https://streamlinehq.com Summarize Now
Lightbulb Streamline Icon: https://streamlinehq.com

Continue Learning

We haven't generated follow-up questions for this paper yet.

Ai Sparkles Streamline Icon: https://streamlinehq.com Generate Now
List To Do Tasks Checklist Streamline Icon: https://streamlinehq.com

Collections

Sign up for free to add this paper to one or more collections.

User Circle Single Streamline Icon: https://streamlinehq.com Sign Up
X Twitter Logo Streamline Icon: https://streamlinehq.com

Tweets

This paper has been mentioned in 3 posts and received 4 likes.

User Circle Single Streamline Icon: https://streamlinehq.com Sign Up to View

Don't miss out on important new AI/ML research

See which papers are being discussed right now on X, Reddit, and more:

Explore Trending Papers

“Emergent Mind helps me see which AI papers have caught fire online.”

Philip

Philip

Creator, AI Explained on YouTube