Stories
Slash Boxes
Comments

SoylentNews is people

posted by janrinok on Sunday November 21, @06:03PM   Printer-friendly [Skip to comment(s)]
from the how-many-products-built-with-these-will-actually-get-recalled? dept.

Malware downloaded from PyPI 41,000 times was surprisingly stealthy:

PyPI—the open source repository that both large and small organizations use to download code libraries—was hosting 11 malicious packages that were downloaded more than 41,000 times in one of the latest reported such incidents threatening the software supply chain.

JFrog, a security firm that monitors PyPI and other repositories for malware, said the packages are notable for the lengths its developers took to camouflage their malicious code from network detection. Those lengths include a novel mechanism that uses what's known as a reverse shell to proxy communications with control servers through the Fastly content distribution network. Another technique is DNS tunneling, something that JFrog said it had never seen before in malicious software uploaded to PyPI.

"Package managers are a growing and powerful vector for the unintentional installation of malicious code, and as we discovered with these 11 new PyPI packages, attackers are getting more sophisticated in their approach, Shachar Menashe, senior director of JFrog research, wrote in an email. "The advanced evasion techniques used in these malware packages, such as novel exfiltration or even DNS tunneling (the first we've seen in packages uploaded to PyPI) signal a disturbing trend that attackers are becoming stealthier in their attacks on open source software."

The researchers said that PyPI quickly removed all malicious packages once JFrog reported them.


Original Submission

Related Stories

Malicious NPM Packages are Part of a Malware “Barrage” Hitting Repositories 26 comments

Malicious NPM packages are part of a malware "barrage" hitting repositories:

Researchers have found another 17 malicious packages in an open source repository, as the use of such repositories to spread malware continues to flourish.

This time, the malicious code was found in NPM, where 11 million developers trade more than 1 million packages among each other. Many of the 17 malicious packages appear to have been spread by different threat actors who used varying techniques and amounts of effort to trick developers into downloading malicious wares instead of the benign ones intended.

This latest discovery continues a trend first spotted a few years ago, in which miscreants sneak information stealers, keyloggers, or other types of malware into packages available in NPM, RubyGems, PyPi, or another repository. In many cases, the malicious package has a name that's a single letter different than a legitimate package. Often, the malicious package includes the same code and functionality as the package being impersonated and adds concealed code that carries out additional nefarious actions.

"We are witnessing a recent barrage of malicious software hosted and delivered through open-source software repositories," JFrog researchers Andrey Polkovnychenko and Shachar Menashe wrote on Wednesday. "Public repositories have become a handy instrument for malware distribution: the repository's server is a trusted resource, and communication with it does not raise the suspicion of any antivirus or firewall. In addition, the ease of installation via automation tools such as the npm client, provides a ripe attack vector."

Recently: Malware Downloaded from PyPI 41,000 Times Was Surprisingly Stealthy


Original Submission

This discussion has been archived. No new comments can be posted.
Display Options Threshold/Breakthrough Mark All as Read Mark All as Unread
The Fine Print: The following comments are owned by whoever posted them. We are not responsible for them in any way.
(1)
  • (Score: 5, Insightful) by Rosco P. Coltrane on Sunday November 21, @06:15PM (4 children)

    by Rosco P. Coltrane (4757) on Sunday November 21, @06:15PM (#1198368)

    TFA says 11 packages were compromised. And as always in this kind of story, it's impossible to find out which.

    Anybody knows where the list is?

    • (Score: 5, Insightful) by sjames on Sunday November 21, @07:16PM (1 child)

      by sjames (2882) on Sunday November 21, @07:16PM (#1198379) Journal

      THIS!

      11 is hardly too many to list, and it seems like a fairly important bit of information. But TFA doesn't list them nor does it link to anywhere for detailed information.

      It also doesn't mention that JFrog is a paid package management system complete with paid consultancy and paid certifications. That makes me wonder if those 11 packages have ever actually been downloaded by an actual developer as opposed to a dropper built in to an exploit.

      I have no doubt the packages are bad and need to be gone, but certainly JFrog is well motivated to make the problem look as severe and pervasive as possible.

      • (Score: 5, Informative) by Thexalon on Sunday November 21, @07:53PM

        by Thexalon (636) on Sunday November 21, @07:53PM (#1198390)

        I'd also note here we know absolutely nothing about the 41,000 downloads, and how those packages were used once they were downloaded.

        For instance, if I were a security consulting company wanting to maximize Fear, Uncertainty, and Doubt about everything in a free shared code repository, I wouldn't even dream of doing something like this:
        1. Pay a third party a bunch of money to develop some malicious-but-innocuous-looking Python packages and upload them to PyPI using fake information on how to locate them.

        2. The third party who developed the malicious software tells you exactly where to find it in PyPI, and what the maliciousness they put in is.

        3. From one of your servers, you do something like this:
        # for i in (1..50000); do wget https ://pypi.org/some/malicious/package-0.0.2.tar.bz2; sleep 100; done
        If you run up against download limits, route it through the Tor onion, or get a bunch of free-tier AWS servers or some-such to do this.

        4. Once the download numbers are high enough to look significant, alert PyPI about the problem that you "discovered".

        5. As loudly as possible, tell the world "OMG, there was malicious software in PyPI that got downloaded 50,000 times! And we were the ones who were smart enough to figure it out! Alert the media! Everybody panic! Oh, and by the way, we just happen to sell a solution to the problem." Again, keeping quiet about the origin of the problem.

        None of this means it wouldn't be wise to read through any code you're using in anything important just to be sure you know what's going on, which you can do in an open-source repository like PyPI.

        --
        The inverse of "I told you so" is "Nobody could have predicted"
    • (Score: 5, Informative) by rigrig on Sunday November 21, @07:42PM

      by rigrig (5129) Subscriber Badge <soylentnews@tubul.net> on Sunday November 21, @07:42PM (#1198386) Homepage

      JFrog [jfrog.com] has the full list.
      (Obviously Ars Technica couldn't link there, as readers might navigate away from their site.)

      --
      No one remembers the singer.
    • (Score: 2, Informative) by Anonymous Coward on Sunday November 21, @09:35PM

      by Anonymous Coward on Sunday November 21, @09:35PM (#1198420)

      Judging by the packages involved, there is a mix of dependency confusion, compromised packages, and straight malware.

      • mportantpackage
      • important-package
      • pptest
      • ipboards
      • owlmoon
      • DiscordSafety
      • trrfab
      • 10Cent10
      • 10Cent11
      • yandex-yt
      • yiffparty
  • (Score: 0) by Anonymous Coward on Sunday November 21, @07:57PM (10 children)

    by Anonymous Coward on Sunday November 21, @07:57PM (#1198392)

    We laugh at people who click on links in random emails. They got what they deserved for being stupid. How is (using random code) this any different?

    Same with people who install free games that steal their banking passwords. Because we're smarter than that.

    Looks pretty stupid in retrospect.

    • (Score: 2) by PinkyGigglebrain on Sunday November 21, @11:00PM (5 children)

      by PinkyGigglebrain (4458) on Sunday November 21, @11:00PM (#1198442)

      "many eyes " of OSS is always better than "no eyes" of proprietary software. Sure sometimes stuff gets missed, but that is better than no one looking at all.

      As another poster commented there is enough critical info missing from the article that a reasonably educated user would be at least a little suspicious of the claims made in the article. Missing info like the names of the packages involved stands out the most for me. That would be seen as very important info by anyone who didn't want to just stir up some FUD around OSS and/or get some PR for themselves.

      --
      "Beware those who would deny you Knowledge, For in their hearts they dream themselves your Master."
      • (Score: 0) by Anonymous Coward on Sunday November 21, @11:53PM (4 children)

        by Anonymous Coward on Sunday November 21, @11:53PM (#1198455)
        If you think that proprietary software has a "no eyes" review policy, you're betraying your ignorance. Which is better - people being paid to review and test software, with their jobs depending on being effective, or the "no eyes" of open source?
        • (Score: 2) by Runaway1956 on Monday November 22, @01:23AM (2 children)

          by Runaway1956 (2926) Subscriber Badge on Monday November 22, @01:23AM (#1198472) Homepage Journal

          people being paid to review and test software, with their jobs depending on being effective

          Have you seen Microsoft Update? How many computers have been bricked (or had data destroyed) by MS Update in the past 1/4 century? You're telling me that people get fired when that happens?

          --
          Taking bets: When does Biden's approval rating reach 15%?
          • (Score: 0) by Anonymous Coward on Monday November 22, @02:12AM

            by Anonymous Coward on Monday November 22, @02:12AM (#1198479)
            Let's do the numbers. How many more centuries are we waiting for "the year of the linux desktop?" It's less than 1% because it's shit. Linux distros peaked corca 2020 in terms of quality and market penetration.

            And most of the "bricked" devices weren't bricked - a wipe and reinstall was all. And I've run into the exact same problem with linux updates, where only a wipe and re-install fixed the shitty system - after which it was time to look for yet another distro.

            Never had that problem with FreeBSD.

            Looking forward to an Apple- if it's as good as the iPhone (which makes android spyware-as-a-phone) look like crap and has generally crappy and short support lifetimes), I'll be happy.

            Because honestly I'd rather use XP than any current linux distro. At least the old games will run great.

            But seriously, how many linux fanbois DON'T have at least 1 windows box. It's open source's dirty little secret.

          • (Score: 1, Informative) by Anonymous Coward on Monday November 22, @02:17AM

            by Anonymous Coward on Monday November 22, @02:17AM (#1198480)

            Or even MacOS/iOS/iPadOS. Even if you give Microsoft some slack because of the huge number of varied systems running Windows, Apple doesn't have the same excuse because they do control the exact base hardware. Apple has also had their share of bricked devices after update and absolutely glaring security holes.

        • (Score: 2) by PinkyGigglebrain on Monday November 22, @02:04AM

          by PinkyGigglebrain (4458) on Monday November 22, @02:04AM (#1198477)

          Source code that any decent programmer can look at in their spare time and possibly find bugs because thats what they have fun doing.
          or
          source code that no one outside of a select number of people who don't really want to make more work for themselves by reporting a bug that they don't think will ever come up within the expected life of the project.

          Which would you trust more?

          I've seen a lot of source code, proprietary and OSS, that is just absolute garbage held together by hacks and very iffy assumptions. Programmers are Human and they make mistakes, Doesn't matter if they are coding for fun or a paycheck shit is going to happen.

          The difference between the two types of code is one can be reviewed by many people who actually want to look at it and can find problems before they cause trouble and the other never gets reviewed outside of a handful of people who already have a looming deadline and don't want to make more work for themselves by reporting an issue that they think will probably never cause a problem within the life of the program.

          If you think that proprietary software has a "no eyes" review policy, you're betraying your ignorance.

          Do you always take things so literally? Or is that just how your trying to play this thread to support your viewpoint?

          --
          "Beware those who would deny you Knowledge, For in their hearts they dream themselves your Master."
    • (Score: 0) by Anonymous Coward on Monday November 22, @02:41AM (1 child)

      by Anonymous Coward on Monday November 22, @02:41AM (#1198486)

      Seems like the many eyes worked here. You had enough of the right eyes looking for these sorts of "bugs" and they ended up finding them.

      • (Score: 0) by Anonymous Coward on Monday November 22, @08:56AM

        by Anonymous Coward on Monday November 22, @08:56AM (#1198535)
        41,000 downloads - so how many projects used this crappy code and shipped products with spyware? We don't know, and we don't know what has been compromised as a result. So the digging has to continue. Will it?
    • (Score: 0) by Anonymous Coward on Monday November 22, @05:15PM

      by Anonymous Coward on Monday November 22, @05:15PM (#1198606)

      It was just made in the era of academic computer and later, internet use, when software was still the domain of nerds and computer science/electrical engineering majors, meaning that competent eyes would be looking at the code (and possibly modifying it to fit their purposes.) With modern software development, the 'upstart programmer (brogrammers and 'woke' types alike) we're seeing a lot fewer knowledgeable or experienced eyes looking at code. Given the sheer quantities of code and 'feature creep' because everyone wants to get paid for ongoing work, rather than finding out they were a one hit wonder, and their next project won't pay the bills now that they can't milk the previous one, we've gotten to a point where most people take for granted that 'someone else's eyes are vetting the code', and separately that we now have millions of users who never could vet the code because they don't have the knowledge or experience to know what they are looking for, whether the backdoors are subtle, or blatantly obvious.

      Really the only solution that makes sense today is a complete machine learning database of existing exploits for each language with a percentage of concern followed by manual review. If this process is transparent it should allow the many eyes to focus on the things that might be exploits until multi-language and discipline malware becomes more common, requiring new ML models and deeper investigation by multiple sets of eyes, or even teams.

    • (Score: 0) by Anonymous Coward on Monday November 22, @08:00PM

      by Anonymous Coward on Monday November 22, @08:00PM (#1198655)

      lol, another whore-ass Windows user.

  • (Score: 3, Insightful) by dwilson on Sunday November 21, @09:38PM (2 children)

    by dwilson (2599) on Sunday November 21, @09:38PM (#1198422)

    "Package managers are a growing and powerful vector for the unintentional installation of malicious code, and as we discovered with these 11 new PyPI packages, attackers are getting more sophisticated in their approach, Shachar Menashe, senior director of JFrog research, wrote in an email. "The advanced evasion techniques used in these malware packages, such as novel exfiltration or even DNS tunneling (the first we've seen in packages uploaded to PyPI) signal a disturbing trend that attackers are becoming stealthier in their attacks on open source software."

    No, package managers have always been recognized as a threat vector, and the people who run them have always been responding to new vulnerabilities and improving security. At least, if they're doing their job, they have been.

    Compared to the {apt,rpm}-based systems maintained by just about any linux distribution, PiPy and NPM are amateur-hour at best. Shame they're so popular. Shame the people generating python and javascript libraries seem to go out of their way to make it hard to package them with traditional methods, driving people to the new (vulnerable) kids on the block.

    --
    - D
    • (Score: 2) by Runaway1956 on Sunday November 21, @10:27PM

      by Runaway1956 (2926) Subscriber Badge on Sunday November 21, @10:27PM (#1198431) Homepage Journal

      I don't think of pip, pypy, flatpack and similar as a "package manager".

      You've got to trust your package management system, so I stay with apt. That's not to say that I've never used anything outside the 'official' software supply, but I just don't trust those systems.

      --
      Taking bets: When does Biden's approval rating reach 15%?
    • (Score: 0) by Anonymous Coward on Tuesday November 23, @04:09PM

      by Anonymous Coward on Tuesday November 23, @04:09PM (#1198922)

      But what are the odds that a random python coder would download one of the malware packages from PyPI and get pwned?

      Looking at the infected packages it seems more likely that the company paid people to download the stuff:

              mportantpackage
              important-package
              pptest
              ipboards
              owlmoon
              DiscordSafety
              trrfab
              10Cent10
              10Cent11
              yandex-yt
              yiffparty

      I think it'll be noteworthy if something like urllib3 or python-dateutil was compromised.

  • (Score: 2) by Snotnose on Monday November 22, @12:17AM (2 children)

    by Snotnose (1623) on Monday November 22, @12:17AM (#1198461)

    My compiler and glibc are "ancient" and "not worth dorking with". Never mind I write embedded software controlling all sorts of machines.

    C++: I'd rather not, it's too complicated and, let's be honest here, it's going in the wrong direction. When you have things in your syntax you can't google.....
    Python: Been there done that, the whitespace thing fucks teams even in this day of editors auto-change tabs into spaces. There is always that 1 asshole....
    Java: Love it. But just try setting a pointer to a register at 0xfffc0034 that is an unsigned byte.
    Perl: Love/hate. When I need to do something and have the time to relearn Perl, love it. When I have to revisit that script 2 years later, or fix someone else's script, hate it.

    --
    I really suck at smalltalk. I just asked the woman cutting my hair what she did for a living.
    • (Score: 0) by Anonymous Coward on Monday November 22, @02:18AM

      by Anonymous Coward on Monday November 22, @02:18AM (#1198481)
      c++ can be decent if you ignore everything from TR1 on. And ignore templates. Simple is great, pointer math's good, everything since is the script kiddie's hood.
    • (Score: 2) by Thexalon on Monday November 22, @06:55PM

      by Thexalon (636) on Monday November 22, @06:55PM (#1198630)

      C has its merits, no question. It also has its drawbacks, as the long history of exploitable buffer overflows and bad pointer math makes all too clear.

      But don't worry, if you really want the worst of all the options, it's hard to get much worse than PHP. If you're wondering why PHP 6 doesn't exist, it's because it was so difficult to push the body of legacy PHP code towards something resembling syntactical coherence that they decide to scrap the effort to create syntactical coherence.

      --
      The inverse of "I told you so" is "Nobody could have predicted"
(1)