Slash Boxes

SoylentNews is people

posted by hubie on Monday January 23, @09:52PM   Printer-friendly
from the pip-install-aw-crud dept.

It's not always easy to spot malicious impostors posing as legit downloads:

Researchers have uncovered yet another supply chain attack targeting an open source code repository, showing that the technique, which has gained wide use in the past few years, isn't going away any time soon.

This time, the repository was PyPI, short for the Python Package Index, which is the official software repository for the Python programming language. Earlier this month, a contributor with the username Lolip0p uploaded three packages to PyPI titled: colorslib, httpslib, and libhttps. The contributor was careful to disguise all three as legitimate packages, in this case, as libraries for creating a terminal user interface and thread-safe connection pooling. All three packages were advertised as providing full-featured usability.

[...] Open source repositories such as PyPI and NPM have become increasingly used as vectors for installing malware through supply chain attacks, which spread malicious software at the source of a legitimate project. From 2018 to 2021, this type of attack grew on NPM almost fourfold and about fivefold on PyPI, according to security firm ReversingLabs. From January to October last year, 1,493 malicious packages were uploaded to PyPI, and 6,977 malicious packages were uploaded to NPM.

[...] "Python end users should always perform due diligence before downloading and running any packages, especially from new authors," ReversingLabs researchers wrote in the post documenting the latest attacks. "And as can be seen, publishing more than one package in a short time period is no indication that an author is reliable."

The same advice should be applied to NPM, RubyGems, and virtually every other open source repository.

Original Submission

This discussion was created by hubie (1068) for logged-in users only. Log in and try again!
Display Options Threshold/Breakthrough Mark All as Read Mark All as Unread
The Fine Print: The following comments are owned by whoever posted them. We are not responsible for them in any way.
  • (Score: 4, Insightful) by Freeman on Monday January 23, @10:09PM (8 children)

    by Freeman (732) on Monday January 23, @10:09PM (#1288250) Journal

    This isn't a new thing. Not even for PyPI. It's an unfortunate thing, but it's definitely something you need to know about. Not necessarily something to be "scared" about, but it's like knowing what kind of neighborhood you're driving through.

    Joshua 1:9 "Be strong and of a good courage; be not afraid, neither be thou dismayed: for the Lord thy God is with thee"
    • (Score: 2) by corey on Monday January 23, @11:13PM (3 children)

      by corey (2202) on Monday January 23, @11:13PM (#1288263)

      I’m confused why “researchers” have found this. Isn’t this all open source, where supposedly people/somebody skims through the code?

      • (Score: 5, Touché) by HiThere on Monday January 23, @11:23PM

        by HiThere (866) on Monday January 23, @11:23PM (#1288266) Journal

        Researchers are some of the people that do that.

        Javascript is what you use to allow unknown third parties to run software you have no idea about on your computer.
      • (Score: 2) by RS3 on Monday January 23, @11:49PM

        by RS3 (6367) on Monday January 23, @11:49PM (#1288270)

        Not necessarily.

        Experience enables you to recognize a mistake every time you repeat it.
      • (Score: 3, Interesting) by GloomMower on Tuesday January 24, @04:24PM

        by GloomMower (17961) on Tuesday January 24, @04:24PM (#1288378)

        While it seems like the packages were functional with bad side effect, it was still sort of type squatting against better legit packages you would rather use. Why would you use libhttps instead of requests? It was posted for a month according to the article, and I already got requests why would I look at libhttps?

        I do think there could be some organization that companies and individual could donate to, to help review the packages. Maybe pypi itself can start something up. Doesn't mean something won't go through review that isn't suppose to.

        It is nice of ReversingLabs to let people know, not sure how they get their funding.

    • (Score: 4, Insightful) by Mykl on Tuesday January 24, @12:08AM (3 children)

      by Mykl (1112) on Tuesday January 24, @12:08AM (#1288272)

      I was going to post a snarky comment along the lines of "Tell me again how open source is more secure?", but this problem can exist equally across closed source products that offer extensions (e.g. Photoshop).

      Don't buy stuff from a random guy's car trunk on a street corner and expect it to be genuine.

      • (Score: 5, Insightful) by janrinok on Tuesday January 24, @08:02AM

        by janrinok (52) Subscriber Badge on Tuesday January 24, @08:02AM (#1288336) Journal

        I've moderated you appropriately because you give some sound advice. The problem is that PyPi is supposed to be the place where we go to find high quality libraries that have been assessed by the community over time.

        It is essential to use extreme caution when choosing a library from a repo such as PyPi. If the library is well known then check the name is exactly what it is supposed to be and that the version number is the same as you expect. I avoid very recent updates if at all possible unless there is a sound justification for the changes - adding a new bell or whistle that I do not need does not justify me updating the version of the library into my existing code. If it is just a library that you 'think' might be suitable for use in your project then it is up to you to test it thoroughly before including it in your code. I have sometimes found that simply running the code through some form of 'pretty-print' highlights attempts to obfuscate the true function of a routine but full and rigorous testing is usually essential.

        This is the same problem that we sometimes see with stackoverflow, where programmers (many of whom should know better) simply cut and paste chunks of code into their own projects without understanding the possible side effects of that code. The advice given in stackoverflow is usually very good but it is not something that one should simply accept without better understanding the reason for the problem in the first place.

      • (Score: 0) by Anonymous Coward on Tuesday January 24, @02:11PM

        by Anonymous Coward on Tuesday January 24, @02:11PM (#1288354)

        > Don't buy stuff from a random guy's car trunk on a street corner and expect it to be genuine.

        Says the company selling Chinese junk made by 5 year old sex slaves. Got to keep up our high standards.

      • (Score: 2) by PiMuNu on Tuesday January 24, @04:48PM

        by PiMuNu (3823) on Tuesday January 24, @04:48PM (#1288382)

        > random guy's car trunk on a street corner

        Unfortunately, many reputable packages distribute through PyPI. If your local butcher sells rotten meat alongside the good stuff, how are you to know. The conclusion, as you have made, is that all the meat is rotten. That is bad news for python.

        To take a random, reputable example: []
        "NumPy can be installed with conda, with pip, with a package manager on macOS and Linux, or from source." (pip being the PyPI build tool thing)