- npm (the Node.js bundle supervisor)
- pip (the Python bundle installer)
- git (a model management system)
- kubectl (a Kubernetes command-line instrument)
- Terraform, a widely-used infrastructure-as-code tool.
- gcloud (Google Cloud’s command-line interface)
- Heroku CLI: A streamlined interface for seamless deployment and management of applications.
- dotnet CLI
“Each instruction is widely employed across various development settings, rendering them appealing vulnerabilities for malicious actors looking to amplify the impact of their nefarious code.”
One other command jacking tactic is known as “command wrapping.” Rather than altering a command, an attacker crafts an entry point that serves as a wrapper around the genuine command. According to the report, this clandestine approach enables attackers to maintain prolonged access and potentially extract sensitive data without arousing suspicion. Despite this, implementing command wrapping still necessitates additional scrutiny from the attacker. Developers should identify the most effective methods for implementing specific tasks and consider possible mistakes in their programming to ensure reliable outcomes. The complexity of an attack scenario will escalate proportionally to the number and diversity of tactics employed by the assailant.
A third strategy would be to develop malevolent add-ons for popular tools and platforms. If an attacker sought to target Python’s pytest testing framework, they would craft a malicious plugin masquerading as a utility that leverages pytest’s basic functionality at its core. The plugin may subsequently execute malicious code in the background, or allow vulnerable code to bypass rigorous security assessments and pose a threat.
