Multiple security flaws have been discovered in major package managers that, if exploited, might allow attackers to run arbitrary code and access sensitive data from vulnerable machines, such as source code and access tokens. It’s worth mentioning, however, that the problems involve the targeted developers using one of the compromised package managers to handle a malicious package.

“This means that an attack from remote cannot be conducted directly against a developer computer, and the developer must be tricked into loading faulty files,” SonarSource researcher Paul Gerste explained. “However, can you always know and trust the owners of all the packages you download from the internet or from company-owned repositories?”

Package managers are systems or a collection of tools that automate the installation, upgrade, and configuration of third-party dependencies needed to develop applications. While there are security risks associated with malicious libraries working their way into package repositories, which necessitates that dependencies are thoroughly monitored to avoid typosquatting and dependency confusion attacks, the “act of managing dependencies is usually not seen as a potentially risky operation,” according to the report.

However, newly identified flaws in a variety of package managers suggest that attackers could use them to fool victims into running malicious code. The following package managers have been shown to have flaws:

• Composer 1.x < 1.10.23 and 2.x < 2.1.9
• Bundler < 2.2.33
• Bower < 1.8.13
• Poetry < 1.1.9
• Yarn < 1.22.13
• pnpm < 6.15.1
• Pip (no fix), and Pipenv (no fix)

One of the most serious flaws is a command injection vulnerability in Composer’s browse command, which could be exploited to execute arbitrary code by adding a URL to a malicious package that has already been published. If the package makes use of typosquatting or dependency confusion techniques, it’s possible that invoking the browse command for the library may result in the retrieval of a next-stage payload, which can subsequently be used to launch more attacks.

Additional argument injection and untrusted search path security flaws found in Bundler, Poetry, Yarn, Composer, Pip, and Pipenv allowed a malicious user to obtain code execution via a malware-laced git executable or an attacker-controlled file like a Gemfile, which is used to specify Ruby program dependencies.

Fixes for Composer, Bundler, Bower, Poetry, Yarn and Pnpm have been released following responsible disclosure on September 9, 2021. However, Composer, Pip, and Pipenv, which are all affected by the untrusted search path vulnerability, have chosen not to fix it.

“Developers are a tempting target for cybercriminals because they have access to a company’s most valuable intellectual property asset: source code,” said Gerste. “Attackers can use them to perform espionage or install malicious code in a company’s products if they are compromised. This may potentially be used to infiltrate a supply chain.”