Stories
Slash Boxes
Comments

SoylentNews is people

Malware Downloaded from PyPI 41,000 Times Was Surprisingly Stealthy

posted by janrinok on Sunday November 21 2021, @06:03PM   Printer-friendly
from the how-many-products-built-with-these-will-actually-get-recalled? dept.

upstart writes:

Malware downloaded from PyPI 41,000 times was surprisingly stealthy:

PyPI—the open source repository that both large and small organizations use to download code libraries—was hosting 11 malicious packages that were downloaded more than 41,000 times in one of the latest reported such incidents threatening the software supply chain.

JFrog, a security firm that monitors PyPI and other repositories for malware, said the packages are notable for the lengths its developers took to camouflage their malicious code from network detection. Those lengths include a novel mechanism that uses what's known as a reverse shell to proxy communications with control servers through the Fastly content distribution network. Another technique is DNS tunneling, something that JFrog said it had never seen before in malicious software uploaded to PyPI.

"Package managers are a growing and powerful vector for the unintentional installation of malicious code, and as we discovered with these 11 new PyPI packages, attackers are getting more sophisticated in their approach, Shachar Menashe, senior director of JFrog research, wrote in an email. "The advanced evasion techniques used in these malware packages, such as novel exfiltration or even DNS tunneling (the first we've seen in packages uploaded to PyPI) signal a disturbing trend that attackers are becoming stealthier in their attacks on open source software."

The researchers said that PyPI quickly removed all malicious packages once JFrog reported them.

Original Submission

 
This discussion has been archived. No new comments can be posted.
Malware Downloaded from PyPI 41,000 Times Was Surprisingly Stealthy | Log In/Create an Account | Top | 22 comments | Search Discussion
Display Options Threshold/Breakthrough Mark All as Read Mark All as Unread
The Fine Print: The following comments are owned by whoever posted them. We are not responsible for them in any way.

  • (Score: 2) by PinkyGigglebrain on Monday November 22 2021, @02:04AM

    by PinkyGigglebrain (4458) on Monday November 22 2021, @02:04AM (#1198477)

    Source code that any decent programmer can look at in their spare time and possibly find bugs because thats what they have fun doing.
    or
    source code that no one outside of a select number of people who don't really want to make more work for themselves by reporting a bug that they don't think will ever come up within the expected life of the project.

    Which would you trust more?

    I've seen a lot of source code, proprietary and OSS, that is just absolute garbage held together by hacks and very iffy assumptions. Programmers are Human and they make mistakes, Doesn't matter if they are coding for fun or a paycheck shit is going to happen.

    The difference between the two types of code is one can be reviewed by many people who actually want to look at it and can find problems before they cause trouble and the other never gets reviewed outside of a handful of people who already have a looming deadline and don't want to make more work for themselves by reporting an issue that they think will probably never cause a problem within the life of the program.

    If you think that proprietary software has a "no eyes" review policy, you're betraying your ignorance.

    Do you always take things so literally? Or is that just how your trying to play this thread to support your viewpoint?

    --
    "Beware those who would deny you Knowledge, For in their hearts they dream themselves your Master."
    Starting Score:    1  point
    Karma-Bonus Modifier   +1  
    Total Score:   2