Curating open source code or compiled DLLs from the NuGet public package repository is a common practice for .NET developers. It is fairly easy to search for appropriate packages, and eliminates time spent reinventing wheels, axles, headlights, seat-belts, etc.. In a 2023 survey, 80% of respondents increased the use of open source in their organizations over the last year.
This ease and productivity boost of NuGet and other repositories prompts most developers to download their chosen packages onto their laptops, include them in their software, and run various functional tests. However, with the 1300% growth in malicious open source packages in the last two years, repositories like NuGet are increasingly hosting malicious and suspicious packages that can fool developers.
Earlier this year, RL announced the Spectra Assure Community, the largest free community resource for vetting open source software packages in npm, PyPi, and RubyGems repositories. Its simple search interface enables users to quickly check real-time risk assessment summaries before choosing or updating open source packages. The community site keeps track of more than 50,000 unique malicious packages, of which more than 5,000 were first reported by the RL research team. Threat intelligence found on this website is shared with the open source community to help with removing malicious code from package repositories.
Spectra Assure Community Adds Support for NuGet Repository
The Spectra Assure Community now includes more than 400,000 unique packages on the NuGet repository, empowering millions of .Net developers and engineering teams to make more secure choices. In addition to open source operational risk information (e.g. number of maintainers, number of dependencies, version number, and publication date), the Spectra Assure Community also summarizes threats and risks that vulnerability scanners cannot detect (see Figure 1), such as malware, tampering and application hardening issues.
Figure 1: Spectra Assure Community empowers .Net developers to review software supply chain risks before selecting or updating NuGet dependencies in their software
The community also lists software behaviors exhibited by each package. Because the threat landscape is constantly changing, avoiding components with anomalous or uncommon behaviors can be as important as detecting known malware. For example, ReversingL complex binary analysis flagged the SqzrFramework480 package (now removed from NuGet) because it contained combinations of behaviors typically associated with malicious files. Read the full research post in the RL Blog.
Validate Safety of Open Source Updates
Software teams know tgat curation isn’t a one-and-done activity. Updates to open source software packages happen all the time. And recent attacks and business disruptions facilitated through software updates should leave no doubt that newer doesn’t always mean safer. The Spectra Assure Community covers all assessed versions of the packages and an "Issues per Version Graph" (see Figure 2) can indicate the maintainers’ diligence to improve the safety of their open source package.
Figure 2: Spectra Assure Community tracks issues across NuGet package versions which can indicate the maintainers’ diligence to improving software safety
With the Spectra Assure Community, .Net developers have more insight for finding components to deliver builds that are both on-time and safe. See RL's guided tour (view time: 60 seconds) to learn how the Spectra Assure Community helps you make the best choices for keeping your credentials, projects and end-users safe from malicious attacks.
