SoylentNews is people
SoylentNews
It's not always easy to spot malicious impostors posing as legit downloads:
Researchers have uncovered yet another supply chain attack targeting an open source code repository, showing that the technique, which has gained wide use in the past few years, isn't going away any time soon.
This time, the repository was PyPI, short for the Python Package Index, which is the official software repository for the Python programming language. Earlier this month, a contributor with the username Lolip0p uploaded three packages to PyPI titled: colorslib, httpslib, and libhttps. The contributor was careful to disguise all three as legitimate packages, in this case, as libraries for creating a terminal user interface and thread-safe connection pooling. All three packages were advertised as providing full-featured usability.
[...] Open source repositories such as PyPI and NPM have become increasingly used as vectors for installing malware through supply chain attacks, which spread malicious software at the source of a legitimate project. From 2018 to 2021, this type of attack grew on NPM almost fourfold and about fivefold on PyPI, according to security firm ReversingLabs. From January to October last year, 1,493 malicious packages were uploaded to PyPI, and 6,977 malicious packages were uploaded to NPM.
[...] "Python end users should always perform due diligence before downloading and running any packages, especially from new authors," ReversingLabs researchers wrote in the post documenting the latest attacks. "And as can be seen, publishing more than one package in a short time period is no indication that an author is reliable."
The same advice should be applied to NPM, RubyGems, and virtually every other open source repository.
(Score: 5, Insightful) by janrinok on Tuesday January 24 2023, @08:02AM
I've moderated you appropriately because you give some sound advice. The problem is that PyPi is supposed to be the place where we go to find high quality libraries that have been assessed by the community over time.
It is essential to use extreme caution when choosing a library from a repo such as PyPi. If the library is well known then check the name is exactly what it is supposed to be and that the version number is the same as you expect. I avoid very recent updates if at all possible unless there is a sound justification for the changes - adding a new bell or whistle that I do not need does not justify me updating the version of the library into my existing code. If it is just a library that you 'think' might be suitable for use in your project then it is up to you to test it thoroughly before including it in your code. I have sometimes found that simply running the code through some form of 'pretty-print' highlights attempts to obfuscate the true function of a routine but full and rigorous testing is usually essential.
This is the same problem that we sometimes see with stackoverflow, where programmers (many of whom should know better) simply cut and paste chunks of code into their own projects without understanding the possible side effects of that code. The advice given in stackoverflow is usually very good but it is not something that one should simply accept without better understanding the reason for the problem in the first place.