CAPEC-691: Spoof Open-Source Software Metadata
An adversary spoofs open-source software metadata in an attempt to masquerade malicious software as popular, maintained, and trusted.
Last updated
Overview
Due to open-source software's popularity, it serves as a desirable attack-vector for adversaries since a single malicious component may result in the exploitation of numerous systems/applications. Adversaries may, therefore, spoof the metadata pertaining to the open-source software in order to trick victims into downloading and using their malicious software. Examples of metadata that may be spoofed include: Owner of the software (e.g., repository or package owner) Author(s) of repository commits Frequency of repository commits Date/Time of repository commits Package or Repository "stars" Once the malicious software component has been integrated into an underlying application or executed on a system, the adversary is ultimately able to achieve numerous negative technical impacts within the system/application. This often occurs without any indication of compromise.
What the attacker needs
Prerequisites
- Identification of a popular open-source component whose metadata is to be spoofed.
Skills required
- Medium skill: Ability to spoof a variety of software metadata to convince victims the source is trusted.
Consequences
What a successful CAPEC-691 attack can achieve.
Modify Data
Affects: Integrity
Hide Activities
Affects: Accountability
Execute Unauthorized Commands, Alter Execution Logic, Gain Privileges
Affects: Access Control, Authorization