This article has been indexed from E Hacking News – Latest Hacker News and IT Security News
An investigation of the off-shelf packages housed in the NuGet repository indicated that 51 unique software components are susceptible to extreme vulnerabilities that are being exploited actively, again highlighting the danger posed on software development by third-party dependencies.
ReversingLabs Researcher Karl Zanki noted in a paper that there is still an increasing number of cyber events targeting the software supply chain that such modules urgently need to be assessed for safety risk and the attack surface to be minimized.
NuGet is a .NET platform supported by Microsoft technology that works as a Package Manager to allow developers to exchange reused code. The framework maintains a single repository of more than 264,000 individual packages that have generated more than 109 billion downloads together.
Of that kind, code is very often wrapped into ‘packages’ which include compiled code (such DLLs) and other contents required for projects using these packages. NuGet, which specifies how packages for the .NET function are developed, hosted, consumed, and provides tools for each role, is supported by the Microsoft-built code sharing mechanism. NET (including the.NET core).
“All identified pre-compiled software components in our research were different versions of 7Zip, WinSCP, and PuTTYgen, programs that provide complex compression and network functionality,” Zanki explained. “They are continuously updated to improve their functionality and to address known security vulnerabilities. However, sometimes it happens that other software pa
[…]
Content was cut in order to protect the source.Please visit the source for the rest of the article.
[…]
Content was cut in order to protect the source.Please visit the source for the rest of the article.
Read the original article: Utilizing Exposed NuGet Packages Attackers Target .NET Platform