Healthcare had the second-highest number of third-party and fourth-party scripts on websites, which raises the risk of shadow code that was never validated by site owners and could increase their vulnerability to cyberattacks, HealthITSecurity reports.
Third-party scripts have been leveraged by institutions due to the underlying benefits but they could also evade web application firewalls, network monitoring tools, perimeter firewalls, and other security controls, according to a Source Defense report. Threat actors could use shadow code-infected third-party scripts to enable web page content modifications, keystroke recording, and click tracking, as well as credential collection and exfiltration.
"Many organizations are continually transforming their web presence with new marketing, eCommerce, social media, customer support, and supply chain projects. They also rapidly replace existing digital suppliers and business partners with new ones. This churn means that over the course of a year the security team for an average website might need to monitor perhaps 50% or 100% more third- and fourth-party scripts than are on the site at any one time," researchers said.
A GitHub Actions workflow could have been used for a command injection vulnerability in Bazel, which had the potential for threat actors to add malicious code into the production environment for projects using the Google open-source product.