You probably arrived on this page after watching my talk about Dependency Confusion at .NET Day Switzerland on the 30th of August 2022.
As a reminder, these are the three easy steps to do in order to secure you NuGet supply chain against dependency confusion attacks (links to Microsoft docs):
- Use Package Source Mapping
<trusted signers>: Manage package trust boundaries
- Reserve prefixes for both your public and private packages on nuget.org: Package ID prefix reservation
The source code for my demos is on GitHub, feel free to use it when explaining the problem to your colleagues.
More docs from Microsoft:
- NuGet Best practices for a secure software supply chain
- For Maven, Gradle, NuGet, npm, Pip, Yarn: 3 Ways to Mitigate Risk When Using Private Package Feeds
- MSBuild .props and .targets in a NuGet package
- MSBuild inline tasks
You can read about the NuGet historical design decision of having a non-deterministic package resolution behavior for hybrid configurations (fetching packages from all configured sources in parallel): NuGet/Home#5611.
About substitution attacks - the original article by security researcher Alex Bîrsan from Romania: Dependency Confusion: How I Hacked Into Apple, Microsoft, and Dozens of Other Companies.
- Typosquatting programming language package managers (2016) in the NPM, PyPi and rubygems ecosystems
- IconBurst NPM software supply chain attack grabs data from apps and websites (2022) in the NPM ecosystem
About the SolarWinds breach:
- overview, timeline: New Findings From Our Investigation of SUNBURST
- technical explanation of SUNSPOT, the malicious tool that was deployed into the SolarWinds build environment: SUNSPOT: An Implant in the Build Process.
- technical explanation of SUNBURST, the trojan shipped inside Orion: Highly Evasive Attacker Leverages SolarWinds Supply Chain to Compromise Multiple Global Victims With SUNBURST Backdoor
- SUNBURST Additional Technical Details
- list of victims: The List of Known SolarWinds Breach Victims Grows, as Do Attack Vectors
C. Augusto Proiete demonstrated that NuGet packages can execute arbitrary code in 2019 - i-am-root-nuget-package.
Whether you enjoyed or not my talk, please fill in this Feedback form (Google Form, anonymous).
Last, but not least: we’re hiring at Sonar!