Software supply chain attacks where attack groups are tricking software developers into integrating malicious open source components into their applications are on the rise. To help developers identify malicious packages, Checkmarx has launched Supply Chain Threat Intelligence, an API that delivers detailed threat intelligence on hundreds of thousands of malicious packages, contributor reputation, and malicious behavior.
Checkmarx says it identifies malicious packages by attack type, such as dependency confusion, typosquatting, and chainjacking. And contributor reputation is calculated by analyzing anomalous activity within packages.
Supply Chain Threat Intelligence is based on threat intelligence research by Checkmarx Labs and includes the 150,878 malicious packages the group discovered in 2022, the company says. Checkmarx then employs machine learning, retro-hunting, and cross-language hunting to identify emerging threats. The company also uses static and dynamic analysis to understand how the code in the package runs.
Security works best when it is part of the developer workflow. Checkmarx says Supply Chain Threat Intelligence integrates with widely used developer tools and environments. The developer obtains a unique token from Checkmarx, sends in a package name and its version number, and receives threat intelligence on the desired package. The developer then has information on what the package does, whether the package is considered malicious, and the reputation of the developer associated with the package.
Reporting packages don't stop attack groups, as they create new sock-puppet accounts and continue publishing them, Checkmarx says. The company maintains a data lake of all the packages scanned so that the team can continue analyzing them even after they have been deleted from package managers, the company says. This can help link multiple packages to the same threat actor or uncover patterns over time.