Open source package entry points could be used for command jacking: report

• npm (the Node.js package manager)
• pip (the Python package installer)
• Git (a version control system)
• kubectl (a Kubernetes command line tool)
• Terraform (an infrastructure-as-code tool)
• gcloud (Google Cloud’s command line interface)
• heroku (the Heroku command line interface)
• dotnet (the command line interface for .NET Core)

“Each of these commands are commonly used in various development environments, making them attractive targets for attackers looking to maximize the impact of their malicious packages,” the report said.

Another command jacking tactic is called “command wrapping.” Instead of replacing a command, an attacker creates an entry point that acts as a wrapper around the original command. This stealthy approach allows attackers to maintain long-term access and exfiltrate potentially sensitive information without arousing suspicion, the report said. However, it adds that implementing command wrapping requires additional research on the part of the attacker. They must understand the correct paths for the target commands on different operating systems and consider potential errors in their code. This complexity increases with the variety of systems targeted by the attack.

A third tactic would be to create malicious plugins for popular tools and frameworks. For example, if an attacker wanted to attack Python’s Pytest testing framework, they would create a plugin that appears to be a utility to assist with tests that use Pytest’s entry point. The plugin could then execute malicious code in the background or allow buggy or vulnerable code to pass quality checks.