Article 68474 More Malicious Packages Posted to Online Repository. This Time It’s PyPI

More Malicious Packages Posted to Online Repository. This Time It’s PyPI

by
hubie
from SoylentNews on (#68474)

upstart writes:

It's not always easy to spot malicious impostors posing as legit downloads:

Researchers have uncovered yet another supply chain attack targeting an open source code repository, showing that the technique, which has gained wide use in the past few years, isn't going away any time soon.

This time, the repository was PyPI, short for the Python Package Index, which is the official software repository for the Python programming language. Earlier this month, a contributor with the username Lolip0p uploaded three packages to PyPI titled: colorslib, httpslib, and libhttps. The contributor was careful to disguise all three as legitimate packages, in this case, as libraries for creating a terminal user interface and thread-safe connection pooling. All three packages were advertised as providing full-featured usability.

[...] Open source repositories such as PyPI and NPM have become increasingly used as vectors for installing malware through supply chain attacks, which spread malicious software at the source of a legitimate project. From 2018 to 2021, this type of attack grew on NPM almost fourfold and about fivefold on PyPI, according to security firm ReversingLabs. From January to October last year, 1,493 malicious packages were uploaded to PyPI, and 6,977 malicious packages were uploaded to NPM.

[...] "Python end users should always perform due diligence before downloading and running any packages, especially from new authors," ReversingLabs researchers wrote in the post documenting the latest attacks. "And as can be seen, publishing more than one package in a short time period is no indication that an author is reliable."

The same advice should be applied to NPM, RubyGems, and virtually every other open source repository.

Original Submission

Read more of this story at SoylentNews.

External Content
Source RSS or Atom Feed
Feed Location https://soylentnews.org/index.rss
Feed Title SoylentNews
Feed Link https://soylentnews.org/
Feed Copyright Copyright 2014, SoylentNews
Reply 0 comments