Dark Mode
Capec-443 Detail
Malicious Logic Inserted Into Product by Authorized Developer
Detailed Supply Chain Software Hardware Likelihood: Medium Typical Severity: High
Parents: 444
Threats: T62 T68 T274 T393
An adversary uses their privileged position within an authorized development organization to inject malicious logic into a codebase or product.
Supply chain attacks from approved or trusted developers are extremely difficult to detect as it is generally assumed the quality control and internal security measures of these organizations conform to best practices. In some cases the malicious logic is intentional, embedded by a disgruntled employee, programmer, or individual with an otherwise hidden agenda. In other cases, the integrity of the product is compromised by accident (e.g. by lapse in the internal security of the organization that results in a product becoming contaminated). In further cases, the developer embeds a backdoor into a product to serve some purpose, such as product support, but discovery of the backdoor results in its malicious use by adversaries. It is also worth noting that this attack can occur during initial product development or throughout a product's sustainment.
| External ID | Source | Link | Description |
|---|---|---|---|
| CAPEC-443 | capec | https://capec.mitre.org/data/definitions/443.html | |
| T1195.002 | ATTACK | https://attack.mitre.org/wiki/Technique/T1195/002 | Supply Chain Compromise: Compromise Software Supply Chain |
| T1195.003 | ATTACK | https://attack.mitre.org/wiki/Technique/T1195/003 | Supply Chain Compromise: Compromise Hardware Supply Chain |
| REF-379 | reference_from_CAPEC | https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-161r1-draft2.pdf | Jon Boyens, Angela Smith, Nadya Bartol, Kris Winkler, Alex Holbrook, Matthew Fallon, Cybersecurity Supply Chain Risk Management Practices for Systems and Organizations (2nd Draft), 2021--10---28, National Institute of Standards and Technology (NIST) |
| REF-704 | reference_from_CAPEC | https://www.bleepingcomputer.com/news/security/dev-corrupts-npm-libs-colors-and-faker-breaking-thousands-of-apps/ | Ax Sharma, Dev corrupts NPM libs 'colors' and 'faker' breaking thousands of apps, 2022--01---09, BleepingComputer |
| REF-705 | reference_from_CAPEC | https://sysdig.com/blog/malicious-modifications-detection-sysdig/ | Alberto Pellitteri, Malicious modifications to open source projects affecting thousands, 2022--01---12, SysDig |
Not present
- Access to the product during the initial or continuous development.
Not present
Not present
| Authorization |
|---|
| Execute Unauthorized Commands |
- In January 2022 the author of popular JavaScript packages "Faker" and "colors", used for generating mock data and including colored text within NodeJS consoles respectively, introduced malicious code that resulted in a Denial of Service (DoS) via an infinite loop. When applications that leveraged these packages updated to the malicious version, their applications executed the infinite loop and output gibberish ASCI characters endlessly. This resulted in the application being unusable until a stable version of the package was obtained. [REF-705]
- During initial development, an authorized hardware developer implants a malicious microcontroller within an Internet of Things (IOT) device and programs the microcontroller to communicate with the vulnerable device. Each time the device initializes, the malicious microcontroller's code is executed, which ultimately provides the adversary with backdoor access to the vulnerable device. This can further allow the adversary to sniff network traffic, exfiltrate date, execute unauthorized commands, and/or pivot to other vulnerable devices.