Malware downloaded from PyPI 41,000 times was surprisingly stealthy:
PyPI—the open source repository that both large and small organizations use to download code libraries—was hosting 11 malicious packages that were downloaded more than 41,000 times in one of the latest reported such incidents threatening the software supply chain.
JFrog, a security firm that monitors PyPI and other repositories for malware, said the packages are notable for the lengths its developers took to camouflage their malicious code from network detection. Those lengths include a novel mechanism that uses what's known as a reverse shell to proxy communications with control servers through the Fastly content distribution network. Another technique is DNS tunneling, something that JFrog said it had never seen before in malicious software uploaded to PyPI.
"Package managers are a growing and powerful vector for the unintentional installation of malicious code, and as we discovered with these 11 new PyPI packages, attackers are getting more sophisticated in their approach, Shachar Menashe, senior director of JFrog research, wrote in an email. "The advanced evasion techniques used in these malware packages, such as novel exfiltration or even DNS tunneling (the first we've seen in packages uploaded to PyPI) signal a disturbing trend that attackers are becoming stealthier in their attacks on open source software."
The researchers said that PyPI quickly removed all malicious packages once JFrog reported them.
(Score: 0) by Anonymous Coward on Sunday November 21 2021, @07:57PM (10 children)
We laugh at people who click on links in random emails. They got what they deserved for being stupid. How is (using random code) this any different?
Same with people who install free games that steal their banking passwords. Because we're smarter than that.
Looks pretty stupid in retrospect.
(Score: 2) by PinkyGigglebrain on Sunday November 21 2021, @11:00PM (5 children)
"many eyes " of OSS is always better than "no eyes" of proprietary software. Sure sometimes stuff gets missed, but that is better than no one looking at all.
As another poster commented there is enough critical info missing from the article that a reasonably educated user would be at least a little suspicious of the claims made in the article. Missing info like the names of the packages involved stands out the most for me. That would be seen as very important info by anyone who didn't want to just stir up some FUD around OSS and/or get some PR for themselves.
"Beware those who would deny you Knowledge, For in their hearts they dream themselves your Master."
(Score: 0) by Anonymous Coward on Sunday November 21 2021, @11:53PM (4 children)
(Score: 2) by Runaway1956 on Monday November 22 2021, @01:23AM (2 children)
Have you seen Microsoft Update? How many computers have been bricked (or had data destroyed) by MS Update in the past 1/4 century? You're telling me that people get fired when that happens?
(Score: 0) by Anonymous Coward on Monday November 22 2021, @02:12AM
And most of the "bricked" devices weren't bricked - a wipe and reinstall was all. And I've run into the exact same problem with linux updates, where only a wipe and re-install fixed the shitty system - after which it was time to look for yet another distro.
Never had that problem with FreeBSD.
Looking forward to an Apple- if it's as good as the iPhone (which makes android spyware-as-a-phone) look like crap and has generally crappy and short support lifetimes), I'll be happy.
Because honestly I'd rather use XP than any current linux distro. At least the old games will run great.
But seriously, how many linux fanbois DON'T have at least 1 windows box. It's open source's dirty little secret.
(Score: 1, Informative) by Anonymous Coward on Monday November 22 2021, @02:17AM
Or even MacOS/iOS/iPadOS. Even if you give Microsoft some slack because of the huge number of varied systems running Windows, Apple doesn't have the same excuse because they do control the exact base hardware. Apple has also had their share of bricked devices after update and absolutely glaring security holes.
(Score: 2) by PinkyGigglebrain on Monday November 22 2021, @02:04AM
Source code that any decent programmer can look at in their spare time and possibly find bugs because thats what they have fun doing.
or
source code that no one outside of a select number of people who don't really want to make more work for themselves by reporting a bug that they don't think will ever come up within the expected life of the project.
Which would you trust more?
I've seen a lot of source code, proprietary and OSS, that is just absolute garbage held together by hacks and very iffy assumptions. Programmers are Human and they make mistakes, Doesn't matter if they are coding for fun or a paycheck shit is going to happen.
The difference between the two types of code is one can be reviewed by many people who actually want to look at it and can find problems before they cause trouble and the other never gets reviewed outside of a handful of people who already have a looming deadline and don't want to make more work for themselves by reporting an issue that they think will probably never cause a problem within the life of the program.
Do you always take things so literally? Or is that just how your trying to play this thread to support your viewpoint?
"Beware those who would deny you Knowledge, For in their hearts they dream themselves your Master."
(Score: 0) by Anonymous Coward on Monday November 22 2021, @02:41AM (1 child)
Seems like the many eyes worked here. You had enough of the right eyes looking for these sorts of "bugs" and they ended up finding them.
(Score: 0) by Anonymous Coward on Monday November 22 2021, @08:56AM
(Score: 0) by Anonymous Coward on Monday November 22 2021, @05:15PM
It was just made in the era of academic computer and later, internet use, when software was still the domain of nerds and computer science/electrical engineering majors, meaning that competent eyes would be looking at the code (and possibly modifying it to fit their purposes.) With modern software development, the 'upstart programmer (brogrammers and 'woke' types alike) we're seeing a lot fewer knowledgeable or experienced eyes looking at code. Given the sheer quantities of code and 'feature creep' because everyone wants to get paid for ongoing work, rather than finding out they were a one hit wonder, and their next project won't pay the bills now that they can't milk the previous one, we've gotten to a point where most people take for granted that 'someone else's eyes are vetting the code', and separately that we now have millions of users who never could vet the code because they don't have the knowledge or experience to know what they are looking for, whether the backdoors are subtle, or blatantly obvious.
Really the only solution that makes sense today is a complete machine learning database of existing exploits for each language with a percentage of concern followed by manual review. If this process is transparent it should allow the many eyes to focus on the things that might be exploits until multi-language and discipline malware becomes more common, requiring new ML models and deeper investigation by multiple sets of eyes, or even teams.
(Score: 0) by Anonymous Coward on Monday November 22 2021, @08:00PM
lol, another whore-ass Windows user.