Security News > 2023 > May > PyPI open-source code repository deals with manic malware maelstrom

PyPI open-source code repository deals with manic malware maelstrom
2023-05-23 18:45

Public source code repositories, from Sourceforge to GitHub, from the Linux Kernel Archives to ReactOS.org, from PHP Packagist to the Python Package Index, better known as PyPI, are a fantastic source of free operating systems, applications, programming libraries, and developers' toolkits that have done computer science and software engineering a world of good.

In cases like that, you can save time by searching for a package that already exists in one of the many available repositories, and hooking that external package into your own tree of source code.

Cybercriminals who guess, steal or buy passwords to other people's projects can inject malware into the code, and anyone who already trusts the once-innocent package will unwittingly infect themselves with malware if they download the rogue "Update" automatically.

Examples include a US PhD student and their supervisor who deliberately uploaded fake patches to the Linux kernel as part of an unauthorised experiment that the core Linux team were left to sort out, and a self-serving "Expert" with the nickname Supply Chain Risks who uploaded a booby-trapped fake project to the PyPI repository as a reminder of the risk of so-called supply chain attacks.

SC Risks then followed up their proof-of-concept "Research" package with a further 3950 packages, leaving the PyPI team to find and delete them all.

Remember that packages typically include update-time scripts that run when you do the update, so malware infections could be delivered via the update process itself, not as part of the package source code that gets left behind afterwards.


News URL

https://nakedsecurity.sophos.com/2023/05/23/pypi-open-source-code-repository-deals-with-manic-malware-maelstrom/

Related vendor

VENDOR LAST 12M #/PRODUCTS LOW MEDIUM HIGH CRITICAL TOTAL VULNS
Pypi 15 0 0 1 15 16