1st August 2021, Kathmandu
PyPI gateway has deleted the eight Python packages that were installed more than 30,000 times for having malicious code, which is once again highlighting how software package repositories are being a popular victim of supply chain attacks.
JFrog analysts Andrey Polkovnichenko, Omer Kaspi, and Shachar Menashe On Thursday said that even amateur hackers utilizes public software repositories as a platform to spread malware, regardless of whether through typosquatting, dependency confusion or simply social engineering attacks due to the lack of moderation and automated security controls in public software repositories.
Python Package Index (PyPI), is the registered third-party software repository for Python, with package manager utilities like pip depending on it as the default source for packages and their dependencies.
The eight Python packages, which were found to be obscured using Base64 encoding, are listed below –
- pytagora (uploaded by leonora123)
- pytagora2 (uploaded by leonora123)
- noblesse (uploaded by xin1111)
- genesisbot (uploaded by xin1111)
- are (uploaded by xin1111)
- suffer (uploaded by suffer)
- noblesse2 (uploaded by suffer)
- noblessev2 (uploaded by suffer)
The above-mentioned packages could be exploited to become an entry point for more complicated threats, allowing the attacker to perform remote code on the host machine, cumulate system information, pillage credit card information and passwords auto-saved in Chrome and Edge browsers, and even purloin Discord authentication tokens to imitate the victim.
PyPI is barely unchaperoned amidst software package repositories that have appeared as a probable attack platform for attackers, with malevolent packages detected in npm and RubyGems provided with competencies that could potentially play havoc with a whole system or serve as a precious burst-off point for mining deeper into a target’s network.
Sonatype and Vdoo in the past month, uncovered the typosquatted packages in PyPI which were discovered to be installed and execute a payload shell script that retrieved a third-party crypto miner such as PhoenixMiner, ubqminer, or T-Rex for mining Ethereum and Ubiq on target systems.
According to JFrog CTO Asaf Karas, the continuous detection of malevolent software packages in popular repositories like PyPI has been a threatening movement that could usher to widespread supply chain attacks. He further said that the capability for hackers to operate simple obscurations methods to inaugurate malware means developers have to be concerned and attentive. It is important to be diligently addressed on a several layers, both by the supporter of the software repositories as well by the developers because it is a systematic threat.
Karas added that protective methods such as employing automated application security tools that can inspect for clues of suspicious code included in the project, and verification of library signatures, should be a vital part of any CI\/CD pipeline, on the developer’s sides. Such automated tools can aware when malevolent code paradigms are employed. It is very important to update security features in public repositories.
