Open-Source Security: It's Too Easy to Upload 'Devastating' Malicious Packages, Warns Google

by
hubie
from SoylentNews on (#5YWY8)

upstart writes:

Open-source security: It's too easy to upload 'devastating' malicious packages, warns Google:

Google has detailed some of the work done to find malicious code packages that have been sneaked into bigger open-source software projects.

The Package Analysis Project is one of the software supply chain initiatives from the the Linux Foundation's Open Source Security Foundation (OpenSSF) that should help automate the process of identifying malicious packages distributed on popular package repositories, such as npm for JavaScript and PyPl for Python. It runs a dynamic analysis of all packages uploaded to popular open-source repositories. It aims to provide data about common types of malicious packages and inform those working on open-source software supply chain security about how best to improve it.

[...] "Despite open-source software's essential role in all software built today, it's far too easy for bad actors to circulate malicious packages that attack the systems and users running that software."

[...] Attackers distribute malicious packages on npm and PyPl often enough that it's something OpenSSF, which Google is a member of, decided it needed to be addressed.

Read more of this story at SoylentNews.

External Content
Source RSS or Atom Feed
Feed Location https://soylentnews.org/index.rss
Feed Title SoylentNews
Feed Link https://soylentnews.org/
Feed Copyright Copyright 2014, SoylentNews
Reply 0 comments