Software Supply Chain

Software Supply Chain Breach: Tracing the Impact of a Clothing Retailer on Your Production Environment

Mike Doyle
June 27, 2022

TL;DR

When open-source developers walk away from maintaining their projects, it poses a high risk to all source code that is dependent on them. This is pretty much what happened with the CTX Python library.  

This post includes a couple of indicators of compromise, which will help you understand how to catch these scenarios in the future.

Arnica is now live in Beta!
Arnica is now live. Come see how Arnica is mitigating software supply chain risks.
Get Started Today

What Happened?  

Part 1: HauteLook Account Abandonment from GitHub

Between September 2021 and May 2022, the Nordstrom-owned clothing brand named HauteLook closed their GitHub account. They had been receding from the open-source community.  

In September 2021 they zapped their popular AliceBundle repo without a word.  

On May 15th, 2022 the GitHub username HauteLook was registered, again, by an interested third party.

Figure 1

Figure 1. The Security Researcher Somdev Sangwan identifying the date that HauteLook's GitHub account was recreated.

It means that the new owner of the GitHub account could act on behalf of the deleted account.

Part 2: FigLeif’s Domain Squatting

The open-source developer FigLeif (the name sounds like a typo-squatting) was stale between July 2020 and May 2022. He had developed and maintained the CTX python package, which affords python developers the syntactic sugar of addressing data structure elements in efficient attribute-access notation (i.e. foo.bar.baz) rather than the cumbersome item-access notation (i.e. foo["bar"]["baz"]) functionality which may seem frivolous to the uninitiated, but try typing all those brackets and quotes sometime - your pinkies will hate you for it ;-)

FigLeif's email domain expired in August 2021 but was reregistered by the same interested third party from Part 1 above.

Figure 2

Figure 2: figlief.com domain registry recent history.

Part 3: GitHub Vulnerability - Recreate Retired Repo

The same interested third party cleverly recreated retired repos of CTX and HauteLook's most prominent repo, a sadly named password hashing library, PHPass.  

GitHub has a security control to prevent the creation of repository names that are equivalent to retired repository names, but the new owner of the FigLeif and HauteLook orgs found a bypass for it: change your username to something other than the previous owner of the repository >> create a repository with the name of the retired repository >> change the username back to the previous owner.

Figure 3

Figure 3: A screenshot taken by Yunus Aydin, the interested party.

Having done this, the interested party, a security researcher and college student named Yunus Aydin, blogged about the attack and posted it to his LinkedIn.

Part 4: Push Malicious Code to the GitHub Repositories CTX and PHPass

Yunus modified the packages so that any time they run, the AWS environment variables are sent to an Heroku-hosted app Yunus controlled.

Figure 4

Figure 4: Screenshot showing the code which sends AWS environment variables.

This is dangerous because many applications, especially cloud hosted and containerized ones, store sensitive secrets in environment variables.

Part 5: Upload CTX to PyPi from FigLeif’s Account

Since Yunus managed to take over FigLeif’s domain, he managed reset the password to PyPi, which followed by uploading the malicious package to PyPi on May 14.

Figure 5

Figure 5: The PyPI project page for the malicious CTX package, archived by The Wayback Machine.

Part 6: A Random Search on GitHub Identified PHPass

The security researcher, Somdev, found additional instance of the same by running a GitHub search. Thank you!

Figure 6

Figure 6: The Security Researcher Somdev Sangwan found the PHPass issue.

Do NOT Blame Open-Source Contributors

All open-source software needs a succession plan for when their maintainers move on. Building a successful, stable, useful library is surprisingly thankless. Both PHPass and CTX hadn't been touched in years and hadn't needed it. Their developers can't be blamed for losing interest.

What Can You Do?

  • Lock all used package versions. If a dependency management system is in use, such as Poetry or Pipenv, use poetry.lock and Pipfile.lock respectively.  
  • If you maintain open-source projects, make sure MFA is enforced. Don’t use email as the 2nd factor.
  • Set your domain registration to auto-renew.
  • To avoid pushing malicious code by other contributors to your open-source project, maintain a CODEOWNERS file to enforce reviews of PRs. Based on our research, it also increases the quality of your code. We can automatically generate and maintain CODEOWNERS files for you.
Arnica is now live in Beta!
Arnica is now live. Come see how Arnica is mitigating software supply chain risks.
Get Started Today