Info
ID: AT-RD004.001
Technique: Third-Party Dependency Poisoning
Tactic: Resource Development
Platforms: PRE
Version: 1.0
Backdoored Open-Source Libraries
Backdoored open-source libraries represent a sophisticated technique within the Resource Development tactic where adversaries deliberately inject malicious code into legitimate open-source software packages that organizations and developers unknowingly incorporate into their applications. Unlike other Third-Party Dependency Poisoning methods that focus on exploiting trust relationships or creating typosquatted packages, this sub-technique specifically involves the compromise of authentic, established libraries through various means - including direct contributor account compromise, sophisticated supply chain attacks against repository infrastructure, or malicious contributions that evade code review processes. The injected malicious code is designed to persist through the package's distribution channels, allowing attackers to achieve reliable code execution across all environments where the backdoored library is deployed. This technique is particularly insidious because it leverages the implicit trust placed in well-established open-source projects and can affect thousands of downstream applications simultaneously, creating an efficient, scalable initial access vector that bypasses traditional security controls while appearing as legitimate functionality within trusted code.
Data Sources
- Code Repositories: Repository commit logs, pull requests, and contributor activity
- Package Registries: Package upload logs, version histories, and download statistics
- Threat Intelligence: Intelligence reports documenting supply chain compromises and backdoored libraries
- Application Logs: Library usage logs and dependency resolution activities
Detection
| ID | Data Source | Detection |
|---|---|---|
| DS0021 | Code Repository | Alert on commits to critical library repositories signed with unrecognised GPG keys or from new contributor IDs. |
| DS0050 | Package Registry | Detect sudden version publish with size increase or inclusion of unexpected binaries. |
| DS0004 | Malware Repository | Compare new package hashes to known IOC feeds for backdoored libraries. |
| DS0015 | Application Log | Runtime detection of library initiating outbound network connections during build/test phases. |
Mitigations
| ID | Mitigation | Description |
|---|---|---|
| M1045 | Code Signing | Implement code signing and verification for all open-source dependencies |
| M1016 | Vulnerability Scanning | Regularly scan dependencies for known vulnerabilities and malicious code |
| M1013 | Application Developer Guidance | Implement secure development practices and dependency management policies |