Stories
Slash Boxes
Comments

SoylentNews is people

posted by janrinok on Sunday November 21 2021, @06:03PM   Printer-friendly
from the how-many-products-built-with-these-will-actually-get-recalled? dept.

Malware downloaded from PyPI 41,000 times was surprisingly stealthy:

PyPI—the open source repository that both large and small organizations use to download code libraries—was hosting 11 malicious packages that were downloaded more than 41,000 times in one of the latest reported such incidents threatening the software supply chain.

JFrog, a security firm that monitors PyPI and other repositories for malware, said the packages are notable for the lengths its developers took to camouflage their malicious code from network detection. Those lengths include a novel mechanism that uses what's known as a reverse shell to proxy communications with control servers through the Fastly content distribution network. Another technique is DNS tunneling, something that JFrog said it had never seen before in malicious software uploaded to PyPI.

"Package managers are a growing and powerful vector for the unintentional installation of malicious code, and as we discovered with these 11 new PyPI packages, attackers are getting more sophisticated in their approach, Shachar Menashe, senior director of JFrog research, wrote in an email. "The advanced evasion techniques used in these malware packages, such as novel exfiltration or even DNS tunneling (the first we've seen in packages uploaded to PyPI) signal a disturbing trend that attackers are becoming stealthier in their attacks on open source software."

The researchers said that PyPI quickly removed all malicious packages once JFrog reported them.


Original Submission

 
This discussion has been archived. No new comments can be posted.
Display Options Threshold/Breakthrough Mark All as Read Mark All as Unread
The Fine Print: The following comments are owned by whoever posted them. We are not responsible for them in any way.
  • (Score: 5, Informative) by Thexalon on Sunday November 21 2021, @07:53PM

    by Thexalon (636) on Sunday November 21 2021, @07:53PM (#1198390)

    I'd also note here we know absolutely nothing about the 41,000 downloads, and how those packages were used once they were downloaded.

    For instance, if I were a security consulting company wanting to maximize Fear, Uncertainty, and Doubt about everything in a free shared code repository, I wouldn't even dream of doing something like this:
    1. Pay a third party a bunch of money to develop some malicious-but-innocuous-looking Python packages and upload them to PyPI using fake information on how to locate them.

    2. The third party who developed the malicious software tells you exactly where to find it in PyPI, and what the maliciousness they put in is.

    3. From one of your servers, you do something like this:
    # for i in (1..50000); do wget https ://pypi.org/some/malicious/package-0.0.2.tar.bz2; sleep 100; done
    If you run up against download limits, route it through the Tor onion, or get a bunch of free-tier AWS servers or some-such to do this.

    4. Once the download numbers are high enough to look significant, alert PyPI about the problem that you "discovered".

    5. As loudly as possible, tell the world "OMG, there was malicious software in PyPI that got downloaded 50,000 times! And we were the ones who were smart enough to figure it out! Alert the media! Everybody panic! Oh, and by the way, we just happen to sell a solution to the problem." Again, keeping quiet about the origin of the problem.

    None of this means it wouldn't be wise to read through any code you're using in anything important just to be sure you know what's going on, which you can do in an open-source repository like PyPI.

    --
    The only thing that stops a bad guy with a compiler is a good guy with a compiler.
    Starting Score:    1  point
    Moderation   +3  
       Interesting=1, Informative=2, Total=3
    Extra 'Informative' Modifier   0  
    Karma-Bonus Modifier   +1  

    Total Score:   5