Dark Mode
Capec-693 Detail
StarJacking
Detailed Social Engineering Supply Chain Software Likelihood: Medium Typical Severity: High
Parents: 691
An adversary spoofs software popularity metadata to deceive users into believing that a maliciously provided package is widely used and originates from a trusted source.
Many open-source software packages are hosted via third-party package managers (e.g., Node Package Manager, PyPi, Yarn, etc.) that allow for easy integration of software components into existing development environments. A package manager will typically include various metadata about the software and often include a link to the package's source code repository, to assist developers in determining the trustworthiness of the software. One common statistic used in this decision-making process is the popularity of the package. This entails checking the amount of "Stars" the package has received, which the package manager displays based on the provided source code repository URL. However, many package managers do not validate the connection between the package and source code repository being provided. Adversaries can thus spoof the popularity statistic of a malicious package by associating a popular source code repository URL with the package. This can ultimately trick developers into unintentionally incorporating the malicious package into their development environment.
| External ID | Source | Link | Description |
|---|---|---|---|
| CAPEC-693 | capec | https://capec.mitre.org/data/definitions/693.html | |
| CWE-494 | cwe | http://cwe.mitre.org/data/definitions/494.html | |
| REF-721 | reference_from_CAPEC | https://checkmarx.com/blog/starjacking-making-your-new-open-source-package-popular-in-a-snap/ | Tzachi Zornstein, StarJacking – Making Your New Open Source Package Popular in a Snap, 2022--04---19, Checkmarx |
Explore
-
Identify target: The adversary must first identify a target package whose popularity statistics will be leveraged. This will be a popular and widely used package, as to increase the perceived pedigree of the malicious package.
Experiment
-
Spoof package popularity: The adversary provides their malicious package to a package manager and uses the source code repository URL identified in Step 1 to spoof the popularity of the package. This malicious package may also closely resemble the legitimate package whose statistics are being utilized.
Exploit
-
Exploit victims: The adversary infiltrates development environments with the goal of conducting additional attacks.
| Techniques |
|---|
| Active: The adversary attempts to trick victims into downloading the malicious package by means such as phishing and social engineering. |
| Passive: The adversary waits for victims to download and leverage the malicious package. |
- Identification of a popular open-source package whose popularity metadata is to be used for the malicious package.
Not present
| Low |
|---|
| Ability to provide a package to a package manager and associate a popular package's source code repository URL. |
| Integrity | Authorization | Access Control | Accountability |
|---|---|---|---|
| Modify Data | Execute Unauthorized Commands | Execute Unauthorized Commands | Hide Activities |
| Alter Execution Logic | Alter Execution Logic | ||
| Gain Privileges | Gain Privileges |
- In April 2022, Checkmarx reported that packages hosted on NPM, PyPi, and Yarn do not properly validate that the provided GitHub repository URL actually pertains to the package being provided. Combined with additional attacks such as TypoSquatting, this allows adversaries to spoof popularity metadata by associating popular GitHub repository URLs with the malicious package. This can further lead to developers unintentionally including the malicious package within their development environments [REF-721].