Detecting compromised source code using Rapid Scan Static’s Malicious URLs feature
Jun 16, 2025 / 4 min read
In the ever-evolving landscape of cybersecurity, staying ahead of potential threats is crucial, but it’s not always possible. So when new threats emerge and the media frenzy ensues, you’re forced to implement post-threat measures to mitigate the impact.
The risk of compromised source code
We have all been there: The chief information security officer is asking if you’re affected by the latest hack or zero-day vulnerability, and you have to scramble to figure out how to check every file, repository, and server.
These incidents pose a severe threat to the business and can significantly disrupt productivity across many teams. The Apache Struts attack in 2017 and the Log4j vulnerability in 2021 are prime examples. In another incident, the Polyfill.io supply chain attack of 2024, malicious actors obtained a domain used to host Polyfill source code. Polyfill.js is code that’s used for backward compatibility, allowing older browsers to run code that contains modern JavaScript features. The attackers dynamically loaded malicious source code into victims’ browsers without their knowledge, and developers using Polyfill from a content delivery network (CDN) unknowingly loaded malicious code into their sites.
This incident is an example of an emerging kind of threat that cannot be detected by typical software composition analysis (SCA) or static application security testing (SAST) tools. Instead, this is a novel kind of supply chain poisoning where a resource that was previously completely legitimate suddenly isn't.
Example code.
Detecting compromised source code
The above image is a simple example of how Polyfill.js is used.
In this code, if the HTML is rendered into an older browser that does not support the Array.prototype.includes method, it is obtained from the Polyfill CDN. JavaScript features can be loaded from the CDN into any website source file, such as PHP files that contain HTML. This results in a third-party component that’s linked directly from JavaScript, HTML, or PHP, but that would not be part of a package.json file or an SBOM when one is generated by an SCA scan.
To detect this type of compromised source code, you would need to check if known malicious URLs are contained anywhere in your repositories, including in the source code files.
During the Polyfill.io supply chain attack however, Black Duck was able to successfully use our Rapid Scan Static engine to detect compromised source code. So we decided to roll out a new feature that helps users rapidly mitigate similar threats in the future.
Now, Rapid Scan Static can quickly solve this problem at scale.
Enabling malicious URL detection in your scan configuration
The Malicious URLs feature makes it easier to detect compromised source code. Available in Coverity® Static Analysis and in the standalone Rapid Scan Static engine, this feature allows users to provide custom URL patterns in a file to configure what should be detected by the checker.
Simply add a text-based file that contains the URLs you want to check for to your scan’s root directory, and then modify your config file to enable the Malicious URLs feature.
Example of a malicious patterns file (top) and enabling the feature in the config file (above).
Now you’re ready to run scans on all your codebases as usual. Since Rapid Scan Static is lightning fast, it only takes a few minutes to ensure that your entire codebase is not vulnerable to the Polyfill supply chain attack or other similar attacks in the future.
Using this feature early in the software development life cycle will ensure that you catch any new potential threats as early as possible. This feature can also be run through the command line interface, using the analyze command.
For details on enabling the Malicious URLs feature in your projects, see the Rapid Scan Static documentation.
Practical security tips for malicious URL detection
If you know which types of issues you want to eliminate, you’re in a much stronger position to avoid potential risks. Here are some tips to consider when thinking about potential malicious URL patterns that could be hiding in your code.
- This feature can be very useful if you know what you don’t want to see in your source code. For example, if you’re familiar with the tiny China Chopper malware, it is trivial to specify the patterns that can be used to detect behavior associated with the malware.
- Any domain that is known to serve malware should be considered a high-risk malicious URL. If you are keen on security, you likely have read many blogs on how specific malware or targeted attacks have played out. These attacks often communicate with command and control servers, which can perform a variety of destructive activities on your systems. By adding the URL of known malicious command and control servers to your patterns file, you can block your apps from communicating with them.
- If you know server names of malware hosts or malware deployment techniques, simply add these to the malicious pattern files. Of course, this is not a fool-proof technique as malware authors obfuscate code as much as possible, but this is a fast early line of defense. This approach allows developers to shift left and catch some dangers before they are exploited in production code.
- Developers often include open source code that does some of the heavy lifting for them. But when some of this code is hijacked, typosquatted, or is just simply evil, it is vital to have some detection mechanisms in place.
- In some cases, it may be a good idea to use the Malicious URLs feature to prevent the use of “file://” URLs in your source code, as these could introduce a Local File Inclusion vulnerability that enables attackers to run files on the server.
By automatically identifying and flagging malicious URLs, this feature provides the visibility and control needed to protect your applications from potential security threats. Integrating scans into your development and security workflows can significantly enhance your ability to identify and remediate vulnerabilities, providing protection against compromised URLs in the future.
Keep safe out there!
Continue Reading
Key insights from Black Duck’s 2024 Global State of DevSecOps report
Oct 08, 2024 / 5 min read