Top issues
Problem
Uniform Resource Locators (URLs) are structured addresses that point to locations and assets on the internet. URLs allow software developers to build complex applications that exchange data with servers that can be hosted in multiple geographical regions. URLs can commonly be found embedded in documentation, configuration files, source code and compiled binaries. One or more embedded URLs were discovered to link to raw files hosted on GitHub. Attackers often abuse popular web services to host malicious payloads. Since code-sharing services URLs are typically allowed by security solutions, using them for payload delivery increases the odds that the malicious code will reach the user. While the presence of code-sharing service locations does not imply malicious intent, all of their uses in a software package should be documented and approved. An increasing number of software supply chain attacks in the open source space leverages the GitHub service to deliver malicious payloads.Prevalence in NuGet community
0 packages
found in
Top 100
22 packages
found in
Top 1k
142 packages
found in
Top 10k
59574 packages
in community
Next steps
Investigate reported detections.
If the software should not include these network references, investigate your build and release environment for software supply chain compromise.
You should delay the software release until the investigation is completed, or until the issue is risk accepted.
Consider an alternative delivery mechanism for software packages.
Detected digital signatures that rely on a weak digest algorithm for integrity validation.
signatures
Problem
Digital signatures are applied to applications, packages and documents as a cryptographically secured authenticity record. Signatures verify the origin and the integrity of the object they apply to. The integrity validation relies on the cryptographic strength of the encryption and the hash verification algorithm. If either of the two is considered weak by current standards, there is a chance the signed object could be maliciously modified, without triggering the integrity failure check.Prevalence in NuGet community
0 packages
found in
Top 100
38 packages
found in
Top 1k
315 packages
found in
Top 10k
733240 packages
in community
Next steps
Create signatures with strong ECC key-length of at least 224 bits, or RSA key-length of at least 2048 bits, and use SHA256 as the hashing algorithm. While encryption key-length upgrade does require you to obtain a new certificate, the hashing algorithm can freely be selected during signing.
With Microsoft SignTool, you can specify the hashing algorithm using the /fd SHA256 parameter.
Top behaviors
Contains URLs that link to raw files on GitHub.
network
Prevalence in NuGet community
Behavior often found in this community (Common)
0 packages
found in
Top 100
22 packages
found in
Top 1k
142 packages
found in
Top 10k
59985 packages
in community
Contains IP addresses.
network
Prevalence in NuGet community
Behavior often found in this community (Common)
0 packages
found in
Top 100
59 packages
found in
Top 1k
458 packages
found in
Top 10k
532614 packages
in community
Contains URLs.
network
Prevalence in NuGet community
Behavior often found in this community (Common)
0 packages
found in
Top 100
63 packages
found in
Top 1k
513 packages
found in
Top 10k
735907 packages
in community
Contains URLs related to release pages of projects hosted on GitHub.
network
Prevalence in NuGet community
Behavior often found in this community (Common)
0 packages
found in
Top 100
7 packages
found in
Top 1k
49 packages
found in
Top 10k
14642 packages
in community
Loads additional .NET assemblies.
execution
Prevalence in NuGet community
Behavior often found in this community (Common)
0 packages
found in
Top 100
32 packages
found in
Top 1k
218 packages
found in
Top 10k
112989 packages
in community
Top vulnerabilities
No vulnerabilities found.