NuGet - Major Microsoft supported framework, targeting .NET platforms. Many data packages and libraries were found endangered...

Continue reading
NuGet packages stored on its repository revealed 51 distinctive software elements highly vulnerable to active exploitation, exposing once again the threat caused by third-party dependencies to the development process of any software.
Due to the high number of cybercrimes in recent times targeting the software supply chain, it has become of great significance to check these third-party modules and ensure their safety.
The .NET platform uses NuGet (Microsoft-supported framework) as a package manager that warrants developers to share reusable code. A central repository kept protected by the framework contains over 264,000 unique packages that have jointly produced over 109 billion package downloads.


According to ReversingLabs researcher Karlo Zanki, "All the software components are continuously updated to meet the latest security standards. However, some packages still use outdated dependencies containing vulnerabilities. " As an example, a famous remote server management library 'WinSCPHelper' downloaded over 35000 times uses an older and errored version WinSCP 5.11.2.
After further analysis, the researchers identified nearly 50,000 software elements from the NuGet packages linked to an endangered version of 'zlib' data compression library putting them at risk of various known security errors such as CVE-2016-9840, CVE-2016-9841, and CVE-2016-9842.
Karlo Zaki said, "Companies dealing with software solutions need to stay alert about such risks and improve their error handling process. Before publishing, both the input and output of the development process must undergo investigation for any errors or code quality issues." The whole software development process must be transparent to detect any errors and prevent large-scale supply-chain attacks.

A publicly accessible registration portal, a misconfigured Entra tenant, and no server-side authorization checks. That was enough to reach the systems controlling live World Cup streams