Info
ID: AT-RD004.001
Technique: Third-Party Dependency Poisoning
Tactic: Resource Development
Platforms: Linux, macOS, Windows
Version: 1.0
Backdoored Open-Source Libraries
Backdoored open-source libraries represent a sophisticated technique within the Resource Development tactic where adversaries deliberately inject malicious code into legitimate open-source software packages that organizations and developers unknowingly incorporate into their applications. Unlike other Third-Party Dependency Poisoning methods that focus on exploiting trust relationships or creating typosquatted packages, this sub-technique specifically involves the compromise of authentic, established libraries through various means - including direct contributor account compromise, sophisticated supply chain attacks against repository infrastructure, or malicious contributions that evade code review processes. The injected malicious code is designed to persist through the package's distribution channels, allowing attackers to achieve reliable code execution across all environments where the backdoored library is deployed. This technique is particularly insidious because it leverages the implicit trust placed in well-established open-source projects and can affect thousands of downstream applications simultaneously, creating an efficient, scalable initial access vector that bypasses traditional security controls while appearing as legitimate functionality within trusted code.
Data Sources
- Code Repositories: Repository commit logs, pull requests, and contributor activity
- Package Registries: Package upload logs, version histories, and download statistics
- Threat Intelligence: Intelligence reports documenting supply chain compromises and backdoored libraries
- Application Logs: Library usage logs and dependency resolution activities
Detection
Monitor for suspicious library modifications, unusual contributor behavior, and unexpected package changes. Detection strategies include:
- Repository Monitoring: Track unexpected changes to established open-source libraries and contributor behavior
- Package Integrity Verification: Implement cryptographic verification of package integrity and authenticity
- Behavioral Analysis: Monitor library behavior for unexpected network activity or file system access
- Contributor Validation: Verify the identity and history of contributors making changes to critical libraries
Mitigations
| ID | Mitigation | Description |
|---|---|---|
| M1045 | Code Signing | Implement code signing and verification for all open-source dependencies |
| M1016 | Vulnerability Scanning | Regularly scan dependencies for known vulnerabilities and malicious code |
| M1013 | Application Developer Guidance | Implement secure development practices and dependency management policies |