Classification:

attack

Tactic:

TA0001-initial-access

Technique:

T1195-supply-chain-compromise

VIEW RULE IN DATADOG VIEW SIGNALS

Goal

This rule detects GuardDog findings that indicate package dependency behaviors commonly associated with malicious activity.

Strategy

This rule monitors GuardDog logs for findings associated with the following behaviors:

• The presence of hardcoded IP addresses or domains frequently used by threat actors in the package source code.
• Exfiltration of sensitive data, such as environment variables, API keys, or sensitive system files.
• The presence of obfuscated source code.
• Execution of code that is decoded from Base64 or decrypted.
• Access to the system clipboard, which often retains credentials and other sensitive information.
• Use of steganography to conceal data within other data (for example, image files) for later extraction.
• Evidence of DLL sideloading, which can cause a misconfigured application to unintentionally execute malicious code.
• Use of a package maintainer email domain that may be compromised, which can be a precursor to package hijacking.

These behaviors are strongly associated with tactics, techniques, and procedures (TTPs) observed in malicious open source packages and have limited legitimate use in benign dependencies. Package dependencies exhibiting any of these behaviors should be subject to careful review and increased scrutiny.

Triage and response

• Review the GuardDog finding in the scan logs and inspect the relevant sections of the affected dependency’s source code or metadata.
• If the dependency is found to be malicious:
  • Immediately remove all instances from your system.
  • Rotate any affected credentials and perform an assessment of potential spread.
  • Consider reporting the malicious dependency to the package registry where it is hosted.