Spotting compromises hidden deep in open source- or commercial supply chains is difficult under the best of circumstances. For developers and development teams tasked with achieving aggressive development and release goals — an environment in which software security and integrity are low priorities — the job is even harder. That’s why, today, ReversingLabs introduced a new offering that helps developers to rapidly assess the security and quality of millions of open source packages spread across platforms such as npm, PyPI and RubyGems.
Spectra Assure Community is a tool that enables developers, product security teams, and release managers to scan open source components to identify the best building blocks for their products. Using Spectra’s unique combination of advanced threat detection, comprehensive analysis, and standardized assessments, it helps developers determine whether packages that they wish to use are free from malicious code and supply chain attacks.
[ Get your free risk assessment of more than 5 million open source packages at secure.software. ]
Mind the Brainleeches! The Value of OSS Threat Intelligence
Spectra Assure Community provides protections against sophisticated supply chain compromises and threats that are becoming far more common on open source package managers. That includes threats like Operation Brainleeches, the July 2023 campaign uncovered by ReversingLabs researchers in which malicious actors published more than a dozen malicious packages to the npm open source repository in support of email phishing campaigns targeting Microsoft 365 users.
As with other campaigns, the Operation Brainleeches packages mimicked legitimate npm modules with large user bases. For example, one of the malicious packages was named jqueryoffline, an obvious reference to the jquery package, which has about 7 million weekly downloads. In all, our researchers found malicious npm packages totaling more than 1,000 downloads associated with the Operation Brainleeches campaign.
The key to spotting this evolving malicious campaign was Spectra Assure’s ability to peer into open source packages and spot suspicious or outright malicious behaviors and content. For example, Spectra Assure flagged HTML code in the DEMO.txt file — a component of the npm package standforusz — that mimicked the login for Microsoft.com and made a call out to the URL of a remote server to which harvested credentials were sent. That warranted further scrutiny by ReversingLabs researchers, who soon uncovered links to the larger Operation Brainleeches campaign.
Rapid, Reproducible OSS Security Analysis
The newly announced Spectra Assure Community portal offers developers key insights into open source software. By leveraging the world’s largest repository of searchable goodware, grayware and malware, it gives developers unparalleled visibility and detection of emerging threats within open source repositories.
In addition, Spectra Assure leverages proprietary, AI-driven complex binary analysis of open source components, embedded artifacts and dependencies for malware, tampering, secrets, vulnerabilities, hardening, and licensing irregularities. This gives development teams an early heads up about unusual changes in the open source and proprietary packages they use.
The benefits of technology like Spectra Assure and the Spectra Assure Community portal are clear. With the help of these new tools, developers and development teams can perform rapid analysis of open source modules and use those to inform selection decisions, boosting productivity. Also, Spectra Assure enables traceable and reproducible security decisions: With comprehensive package analysis and uniform reporting standards, Spectra Assure provides consistent and auditable security decisions.
The benefits of a tool like Spectra Assure are easy to grasp. By incorporating a broad set of security criteria consistently throughout the software lifecycle, development teams are empowered to select the best and most secure open source package version for their project. At the same time, they can more easily avoid packages that have been found to contain malicious components - either now or in the past. That's because Spectra Assure Community not only provides security assessments of the latest open source updates, it lets developers and development teams track the evolution of open source packages over time, documenting past security incidents or compromises in ways that raise the overall security posture of the final application.
OSS Security Intelligence is a Search Away
The Spectra Assure Community portal is publicly available at secure.software. It provides public access to RL analysis of more than 5 million npm, PyPi, and RubyGems packages, with more exciting developments on the way. Developers can start by entering the name of the open source module to find the corresponding RL Assessment. The intuitive report for each component version reveals security quality and allows rapid evaluation of different packages or versions of a specific package.
Check out Spectra Assure Community and use it to find the best building blocks for your next application.
Explore RL's Spectra suite: Spectra Assure for software supply chain security, Spectra Detect for scalable file analysis, Spectra Analyze for malware analysis and threat hunting, and Spectra Intelligence for reputation data and intelligence.