Alert Status: High
The Department of Information and Communications Technology (DICT), through the National Cyber Security Center (NCSC), issues this advisory to alert all PNG Government departments, agencies, and organizations about the increased targeting of online code repositories. This alert is relevant to all technical users, organisation leaders, and entities that maintain online code repositories, publish public software packages, or use third-party packages sourced from online repositories.
Background
The NCSC is aware of increased targeting of online code repositories by threat actors. These actors have been observed gaining access to repositories through various methods, including:
- Phishing and Vishing
- Social Engineering
- Compromised credentials
- Compromised authentication tokens
- Infected software packages
Following successful access to privileged systems and accounts, threat actors have been noted performing the following activities:
- Modifying public packages to initiate supply-chain compromises.
- Running open-source tools to scan for cryptographic secrets, passwords, and sensitive keys stored in online code repositories.
- Extracting and leaking identified credentials publicly.
- Migrating private repositories to public repositories.
Threat actors have been observed abusing legitimate tooling and functions to achieve these results, rather than relying solely on bespoke tooling. The exposure of code bases can allow actors a better understanding of internal processes and systems, increasing an organisation’s attack surface and enabling future, novel attacks.
Mitigation
To safeguard your organization’s systems and data, DICT and NCSC strongly recommend taking the following actions;
- Investigate Affected Systems: Review logs for recent package installations, suspicious processes, and unexpected modifications in developer repositories. Analyse any system that hosted a compromised package for malicious activity.
- Validate Packages: Validate that only trusted, verified packages are in use; check packages for signs of compromise before installation and updating.
- User Awareness: Inform users of the dangers of unverified and under-verified software packages.
- Monitor for Secret Scanning: Use code repositories’ native security functions to detect malicious secret scanning activity.
- Rotate Potentially Exposed Secrets: Rotate any secrets found in code repositories that may have been accessible from compromised systems.
The compromise of trusted software packages presents a significant and ongoing risk for organisations. These packages are often widely used and embedded as dependencies within other software, increasing the potential impact when vulnerabilities are identified.
To manage this risk effectively, organisations must be able to rapidly identify which software packages—and which specific versions—are installed across their environments. This information should be accurately collected, maintained, and readily accessible.
Prompt action is essential to mitigate these risks and protect your organization’s systems and data. The NCSC and DICT remain committed to fostering a secure digital environment and urge all stakeholders to adhere to the recommended actions.
For further assistance or inquiries, contact the National Cyber Security Center (NCSC). Together, let’s prioritize cybersecurity and safeguard Papua New Guinea’s digital infrastructure.