npm (the Node.js package manager)
pip (the Python package installer)
git (a version control system)
kubectl (a Kubernetes command-line tool)
terraform (an Infrastructure as Code tool)
gcloud (Google Cloud’s command-line interface)
heroku (the Heroku command line interface)
dotnet (the command line interface for .NET Core)
“Each of these commands is widely used in various development environments, making them attractive targets for attackers looking to maximize the impact of their malicious packages,” says the report.
Another command jacking tactic has been dubbed “command wrapping.” Instead of replacing a command, an attacker creates an entry point that acts as a wrapper around the original command. This stealthy approach allows attackers to maintain long-term access and potentially exfiltrate sensitive information without raising suspicion, says the report. However, it adds, implementing command wrapping requires additional research by the attacker. They need to understand the correct paths for the targeted commands on different operating systems and account for potential errors in their code. This complexity increases with the diversity of systems the attack targets.
A third tactic would be creating malicious plugins for popular tools and frameworks. For example, if an attacker wanted to target Python’s pytest testing framework, they would create a plugin which appears to be a utility to help in testing that uses pytest’s entry point. The plugin could then run malicious code in the background, or allow buggy or vulnerable code to pass quality checks.