Malware downloaded from PyPI 41,000 times was surprisingly stealthy:
PyPI—the open source repository that both large and small organizations use to download code libraries—was hosting 11 malicious packages that were downloaded more than 41,000 times in one of the latest reported such incidents threatening the software supply chain.
JFrog, a security firm that monitors PyPI and other repositories for malware, said the packages are notable for the lengths its developers took to camouflage their malicious code from network detection. Those lengths include a novel mechanism that uses what's known as a reverse shell to proxy communications with control servers through the Fastly content distribution network. Another technique is DNS tunneling, something that JFrog said it had never seen before in malicious software uploaded to PyPI.
"Package managers are a growing and powerful vector for the unintentional installation of malicious code, and as we discovered with these 11 new PyPI packages, attackers are getting more sophisticated in their approach, Shachar Menashe, senior director of JFrog research, wrote in an email. "The advanced evasion techniques used in these malware packages, such as novel exfiltration or even DNS tunneling (the first we've seen in packages uploaded to PyPI) signal a disturbing trend that attackers are becoming stealthier in their attacks on open source software."
The researchers said that PyPI quickly removed all malicious packages once JFrog reported them.
(Score: 3, Insightful) by dwilson on Sunday November 21 2021, @09:38PM (2 children)
No, package managers have always been recognized as a threat vector, and the people who run them have always been responding to new vulnerabilities and improving security. At least, if they're doing their job, they have been.
Compared to the {apt,rpm}-based systems maintained by just about any linux distribution, PiPy and NPM are amateur-hour at best. Shame they're so popular. Shame the people generating python and javascript libraries seem to go out of their way to make it hard to package them with traditional methods, driving people to the new (vulnerable) kids on the block.
- D
(Score: 2) by Runaway1956 on Sunday November 21 2021, @10:27PM
I don't think of pip, pypy, flatpack and similar as a "package manager".
You've got to trust your package management system, so I stay with apt. That's not to say that I've never used anything outside the 'official' software supply, but I just don't trust those systems.
(Score: 0) by Anonymous Coward on Tuesday November 23 2021, @04:09PM
But what are the odds that a random python coder would download one of the malware packages from PyPI and get pwned?
Looking at the infected packages it seems more likely that the company paid people to download the stuff:
mportantpackage
important-package
pptest
ipboards
owlmoon
DiscordSafety
trrfab
10Cent10
10Cent11
yandex-yt
yiffparty
I think it'll be noteworthy if something like urllib3 or python-dateutil was compromised.