Stories
Slash Boxes
Comments

SoylentNews is people

Malware Downloaded from PyPI 41,000 Times Was Surprisingly Stealthy

posted by janrinok on Sunday November 21 2021, @06:03PM   Printer-friendly
from the how-many-products-built-with-these-will-actually-get-recalled? dept.

upstart writes:

Malware downloaded from PyPI 41,000 times was surprisingly stealthy:

PyPI—the open source repository that both large and small organizations use to download code libraries—was hosting 11 malicious packages that were downloaded more than 41,000 times in one of the latest reported such incidents threatening the software supply chain.

JFrog, a security firm that monitors PyPI and other repositories for malware, said the packages are notable for the lengths its developers took to camouflage their malicious code from network detection. Those lengths include a novel mechanism that uses what's known as a reverse shell to proxy communications with control servers through the Fastly content distribution network. Another technique is DNS tunneling, something that JFrog said it had never seen before in malicious software uploaded to PyPI.

"Package managers are a growing and powerful vector for the unintentional installation of malicious code, and as we discovered with these 11 new PyPI packages, attackers are getting more sophisticated in their approach, Shachar Menashe, senior director of JFrog research, wrote in an email. "The advanced evasion techniques used in these malware packages, such as novel exfiltration or even DNS tunneling (the first we've seen in packages uploaded to PyPI) signal a disturbing trend that attackers are becoming stealthier in their attacks on open source software."

The researchers said that PyPI quickly removed all malicious packages once JFrog reported them.

Original Submission

 
This discussion has been archived. No new comments can be posted.
Malware Downloaded from PyPI 41,000 Times Was Surprisingly Stealthy | Log In/Create an Account | Top | 22 comments | Search Discussion
Display Options Threshold/Breakthrough Mark All as Read Mark All as Unread
The Fine Print: The following comments are owned by whoever posted them. We are not responsible for them in any way.

  • (Score: 0) by Anonymous Coward on Monday November 22 2021, @05:15PM

    by Anonymous Coward on Monday November 22 2021, @05:15PM (#1198606)

    It was just made in the era of academic computer and later, internet use, when software was still the domain of nerds and computer science/electrical engineering majors, meaning that competent eyes would be looking at the code (and possibly modifying it to fit their purposes.) With modern software development, the 'upstart programmer (brogrammers and 'woke' types alike) we're seeing a lot fewer knowledgeable or experienced eyes looking at code. Given the sheer quantities of code and 'feature creep' because everyone wants to get paid for ongoing work, rather than finding out they were a one hit wonder, and their next project won't pay the bills now that they can't milk the previous one, we've gotten to a point where most people take for granted that 'someone else's eyes are vetting the code', and separately that we now have millions of users who never could vet the code because they don't have the knowledge or experience to know what they are looking for, whether the backdoors are subtle, or blatantly obvious.

    Really the only solution that makes sense today is a complete machine learning database of existing exploits for each language with a percentage of concern followed by manual review. If this process is transparent it should allow the many eyes to focus on the things that might be exploits until multi-language and discipline malware becomes more common, requiring new ML models and deeper investigation by multiple sets of eyes, or even teams.