PyPile-on: bad actors pour malware into PyPI, npm repos
ReversingLabs
ReversingLabs is the trusted name in file and software security. RL - Trust Delivered.
Welcome to the latest edition of?Chainmail: Software Supply Chain Security News, curated by the team at?ReversingLabs. This week:?a wave of malicious packages washed over the Python Package Index (PyPI), while the npm repository saw a spam campaign of packages containing phishing links.
This Week’s Top Story
PyPile-on: PyPI, npm hit with malicious campaigns?
More and more attackers are turning to popular open source platforms like npm, GitHub and PyPI to distribute malware disguised as open source modules. The past week brought more evidence that this trend is going strong, with reports of campaigns totaling thousands of malicious packages pushed to the Python Package Index (PyPI) and npm open source repositories.?
On Wednesday, ReversingLabs researcher Lucija Valenti? wrote about the discovery of 41 malicious PyPI packages posing as HTTP libraries, with some mimicking popular and widely used libraries. The packages contained malicious code used to deliver second stage malware, and to steal sensitive data from systems on which the malicious libraries were installed.?
Then, on Thursday the security firm Phylum reported the discovery of another campaign involving more than 500 malicious packages that were published to PyPI. Some of the malicious packages detected by Phylum contain code that would allow attackers to run Powershell commands on infected systems and download remote executables. Analysis of the downloaded files is ongoing.?
There are similarities between the two attacks, including attackers hiding malicious commands within the setup.py file, as well as attempts to disguise malicious packages as common HTTP libraries with names invoking acronyms like “HTTP,” “URL,” and so on.?
Also this week: Checkmarx researcher Yehuda Gelb reported the discovery of thousands of SPAM packages uploaded to the npm open-source repository The attack leveraged multiple user accounts to post the packages in a short period of time. Further investigation by Gelb and Checkmarx revealed that the packages were part of a phishing campaign in which attackers flood open source platforms with packages that contain links to phishing campaigns. According to Checkmarx, the packages were created using automated processes, with project descriptions and auto-generated names that closely resembled one another.
These are just the latest examples of attacks leveraging open source platforms. A similar phishing attack targeting developers using npm was identified in December. Also that month, ReversingLabs researcher Karlo Zanki reported the appearance of a PyPI module, dubbed “SentinelSneak” with a malicious backdoor that was posing as an SDK (software development kit) for the SentinelOne threat detection product.?Then, in early February, Fortinet warned of a supply chain attack leveraging 0-day attacks in PyPI packages linked to the malware author Core1337.
News Roundup
Here are the other software supply chain security stories we’re paying attention to…
A customer-focused project led security researchers Thomas Rinsma and Kevin Valk of Codean.io down "a rabbit hole finding multiple issues in third-party packages, resulting in critical vulnerabilities in our client's final product." Together with the DIVD they ended up disclosing 6 CVEs. More important: the investigation highlighted the growing risks posed by so-called "stacked dependencies," resulting from modern applications' heavy dependence on third party and open source components, ranging from entire frameworks to small pieces of functionality. Such components in turn rely on similar dependencies. The case of NPM and the left-pad package is one example of this, but the problem of dependency explosion is occurring in many modern software stacks, they write. (Codean.io)
领英推荐
The liberalization of software licensing has led to unprecedented re-use of software. Alongside drastically increasing productivity and (arguably) quality of derivative works, it has also introduced multiple attack vectors. The management of software intended for re-use is typically conducted by a package manager, whose role involves installing and updating packages and enabling reproducible environments. Package managers implement various measures to enforce the integrity and accurate resolution of packages to prevent supply chain attacks. In this paper, Aarnav M. Bos of CODE University of Applied Sciences in Berlin reviews supply chain attacks on package managers and categorizes them based on the nature of their impact and their position in the package installation process. (Arxiv)
"This two-part blog series will cover how I found and disclosed three vulnerabilities in VSCode extensions and one vulnerability in VSCode itself (a security mitigation bypass assigned CVE-2022-41042). We will identify the underlying cause of each vulnerability and create fully working exploits to demonstrate how an attacker could have compromised your machine. We will also recommend ways to prevent similar issues from occurring in the future." (Trailofbits.com)
Synopsys released the eighth edition of its Open Source Security and Risk Analysis (OSSRA), which showed dramatic growth in open source use driven, in part, by the global COVID-19 pandemic. According to the report, COVID contributed to the rapid adoption of open source by “EdTech” firms serving the education sector. Use of open source by EdTech firms grew by 163%, as courses and instructor/student interactions increasingly pushed online. Other sectors experiencing a large spike in open source growth include the Aerospace, Aviation, Automotive, Transportation and Logistics sector with a 97% increase and 74% growth in Manufacturing and Robotics.
High-risk vulnerabilities in open source also increased “at an alarming rate” in the past five years, Synopsys found. Since 2019, high-risk vulnerabilities in the Retail and eCommerce sector jumped by 557%. Comparatively, the Internet of Things (IoT) sector, with 89% of the total code being open source, saw a 130% increase in high-risk vulnerabilities in the same period. The Aerospace, Aviation, Automotive, Transportation and Logistics vertical was found to have a 232% increase in high-risk vulnerabilities. (Synopsys)
“Companies are facing two major truths this year: More cybersecurity regulation and fewer resources,” writes Phylum co-founder Peter Morgan over at Dark Reading. “For the former, it's about time. Cybersecurity needs baseline requirements and government regulations can be a useful forcing function. It's encouraging to see a renewed focus on areas that need real attention, especially software supply chain security. Considering the latter, it means companies are facing a steep climb ahead to implement these new regulations in a year of economic uncertainty.” Chief among those are federal requirements for software publishers to adopt software bills of materials (SBOMs) that serve as a guide and reference to the components of software and services consumed by federal agencies. However, adopting SBOMs will be a “massive undertaking,” Morgan warns.?(Dark Reading)
Resource Roundup
Watch Matt Rose from ReversingLabs, the leading provider of threat intelligence and software supply chain security and Chris Wilder from TAG Cyber as they cover details of the CircleCI hack, the lessons learned from the attack chain, and what organizations of all sizes can do to address this growing attack surface.
The leading market analyst firm Forrester released its 2023 Software Composition Analysis, recognizing ReversingLabs among notable vendors in the SCA space.?Download?a complimentary copy of Forrester’s SCA report and learn why ReversingLabs is listed among 23 notable vendors.