HACKER Q&A
📣 ChuckMcM

Slopsquat CVE?


This came up on conversation over the weekend and I thought I would reach out here and on social media. There is a theoretical way to weaponize slopsquatting, which is to create many (number to be determined) repositories on Github that use a loadable package that promises one thing but has a back door in it to enable an adversary to take control. By filling a pipeline of repositories, giving them "popularity" with a spambot army, one could "inject" into the CoPilot model that the package with the back door was a valid solution to some common coding "want." If the compromised package "worked" to the extent that it did what it said it does until someone asks it to do something different, it could conceivably migrate into non adversary controlled repositories and from there into the greater network.

So crazy talk or CVE? Hard to tell the difference these days.

  👤 alp1n3_eth Accepted Answer ✓
I'd say it doesn't exactly meet the minimum standard for a CVE, as it's more of a technique vs. an actual vulnerability in an application/library. If there was a repo that had a vulnerable component that was currently infected through the manner described, that specific instance would probably qualify as a CVE.

Since this is a technique / overarching issue, it leans more towards being a CWE. Maybe something like:

- CWE-506: Embedded Malicious Code or - CWE-829: Inclusion of Functionality from Untrusted Control Sphere or - CWE-1395: Dependency on Vulnerable Third-Party Component

From Snyk's docs they also explain it: https://github.com/snyk/user-docs/blob/main/docs/manage-risk...

"In almost all cases, malicious packages are not assigned a CVE ID."