Amidst maelstrom of malware, PyPI suspends new accounts

Welcome to the latest edition of Chainmail: Software Supply Chain Security News, which brings you the latest software supply chain security headlines from around the world, curated by the team at ReversingLabs.

This week: Administrators of PyPI, the Python Package Index, temporarily suspended the creation of new accounts and projects amidst a storm of malware. Experts say: don’t expect the problem to go away.?

This Week’s Top Story

Amidst maelstrom of malware, PyPI suspends new accounts

Administrators of the Python Package Index (PyPI), the official repository for Python software, temporarily disabled new user registrations and package uploads on Saturday, May 20th, due to a surge in malicious users and projects. “The volume of malicious users and malicious projects being created on the index in the past week has outpaced our ability to respond to it in a timely fashion, especially with multiple PyPI administrators on leave," the admins said in a notice published on May 20, 2023.

The suspension lasted only a few hours, but the move to freeze registrations highlighted a growing storm of attacks on software registries, developer environments and the software supply chain in recent months.?

While PyPI has only seen a small sliver of those attacks compared to much larger platforms like NPM, the number and pace of attacks on PyPI is increasing. Just since the beginning of the year, there have been a number of campaigns discovered on PyPI. For example:?

• In January researchers at Fortinet discovered a PyPI attack in which a single user dubbed ‘Lolip0p’ uploaded three malicious packages meant to drop info-stealing malware on impacted systems. The packages wracked up more than 500 downloads.
• In February, ReversingLabs researchers noticed an increase of malicious packages posing as HTTP libraries on PyPI. In all, ReversingLabs detected 41 malicious PyPI packages posing as HTTP libraries, with some mimicking popular and widely used libraries.?
• In March, researchers at the firm Kroll discovered an information stealer and remote access trojan (RAT) hosted on PyPI which they dubbed “Colour Blind RAT,” according to a report by Kroll researchers Dave Truman and George Glass.?

Despite the growing urgency of the problem, cyber security experts are warning that the targeting of the Python Package Index (PyPI) repository isn’t likely to end, given the popularity of PyPI and the potential to cause massive disruption. "The comparative naivety of the average user, combined with its prolific use, has led to an attacker's dream,” Liam Follin, CHECK team leader and consultant at Pentest People, told IT Pro.??

Other News:?

GitLab Urges Immediate Update with Emergency Security Patch Release

GitLab, the popular DevOps software package, released a critical security patch to address a path traversal vulnerability (CVE-2023-2825) found in its Community Edition (CE) and Enterprise Edition (EE) version 16.0.0. The flaw could allow unauthenticated attackers to access arbitrary files on the server, potentially exposing sensitive data such as proprietary software code and user credentials, the company said. (Globalvillagespace.com)

Secrets sprawl jumps by 67% report finds

GitGuardian released its 2023 State of Secrets Sprawl and said it found a significant increase in the number of secrets exposed via source code. Recent cybersecurity incidents involving Uber and Toyota highlight the dangers of hard-coded secrets. The 2023 State of Secrets Sprawl report shows a 67% year-over-year increase in the number of secrets found. In all, 10 million hard-coded secrets were detected in 2022 alone, with about one of every 10 code authors exposing a secret in 2022, making it a widespread issue among developers. (The Hacker News)

API attacks jump 400% with zombie APIs a growing risk

The increase in API usage has led to a surge in API attacks, with outdated and abandoned APIs posing a significant security threat. Organizations are struggling to manage the large number of APIs they have, and the Salt Labs State of API Security report highlights a 400% increase in unique attackers. API breaches can occur due to poor coding practices or business logic vulnerabilities. API security risks have become a concern at the C-level, and implementing API-specific security measures and adopting a zero trust approach can help mitigate these risks. (Security Intelligence)

Resource Round Up

Video: Who is ReversingLabs??

In this episode, Matt answers a simple yet important question: Who is ReversingLabs? Matt does this by recalling the company’s history, dating back to 2009, to how they have become leading provider of software supply chain security. [Watch Now]

Podcast: Red Teaming the Indian Government

In this episode, host Paul Roberts chats with John Jackson, a senior offensive security consultant about red team exercises he and the security research group Sakura Samurai conducted on web sites and applications belonging to the government of India.? ?[Listen Now]

Software Package Deconstruction Web Series: Episodes on 3CX, Tabby and Notepad++ Software Packages are now available On Demand!

In each episode of the new ReversingLabs application security series we deconstruct, analyze, and expose hidden risks inside some of the largest most complex software packages. App Sec and Dev Teams will see the ReversingLabs Software Supply Chain Security platform in action and how it provides teams with new found confidence and the ability to make Go/No Go software release decisions based on the most comprehensive view of software risk in the industry. ?[Watch Now]