Cybersecurity researchers have uncovered a new threat to software supply chains that spans multiple programming ecosystems, including PyPI, npm, Ruby Gems, NuGet, Dart Pub, and Rust Crates. These entry points, which are typically used by developers to execute specific commands or load plugins, can be exploited by attackers to introduce malicious code.

According to a report by Checkmarx researchers Yehuda Gelb and Elad Rapaport, these vulnerabilities pose a widespread risk to the open-source community, offering a stealthy and persistent way to bypass traditional security defenses.

One method, known as command-jacking, involves attackers using fake packages that mimic popular third-party tools like npm, pip, or git. These counterfeit packages collect sensitive information once installed, often without the developer's knowledge. A more advanced technique, called command-wrapping, enables malicious code to run alongside legitimate commands, making it nearly impossible to detect. This method silently executes harmful code while still returning the expected output, allowing attackers to maintain long-term access to compromised systems without raising suspicion.

The rising number of these attacks highlights the growing threat to the open-source ecosystem. In a related report, Sonatype revealed a 156% year-over-year increase in malicious packages discovered across Java, JavaScript, Python, and .NET ecosystems. Researchers are calling for enhanced security measures to address these entry-point vulnerabilities, as traditional security tools have struggled to detect these sophisticated supply chain attacks. Moving forward, the development of comprehensive defenses is critical to protecting developers and organizations from these emerging threats.