Repositories of software packages have become a frequent target for supply chain attacks. Reports concerning malware attacks on prominent repository systems like npm, PyPI, and RubyGems have been recently surfacing. Programmers completely trust repositories and install packages from such sources, provided that they are trustworthy.
Malware packages may be posted to the package repository, permitting malicious actors to leverage repository systems to propagate viruses and start successful attacks both on developers and CI/CD machines in the pipeline.
Eight Python packages that have been installed more than 30,000 times have been deleted from the PyPI portal with malicious code, demonstrating again how software package repositories have developed into a hub for a popular supply chain attack.
The dearth of moderation and automated security safeguards in public software repositories enables relatively unfamiliar attackers, through typosquatting, dependency misunderstanding, or basic social engineering attempts, to utilize them as a base to disseminate malware.
PyPI is Python's primary third-party software repository, which has package manager utilities, such as pip, as its default package and dependency source.
Several of the packages could have been used for more complex threats, allowing the attacker to implement remote code on the target device, collect network data, plunder credit card details, and autosaved passwords in browsers like Chrome and Edge, and sometimes even steal Discord authentication tokens to impersonate the victim.
PyPI is not alone in software package repositories that appear as a potential attack surface to invasions, with rogue packages identified in npm and RubyGems that might potentially damage a complete system or be a useful jump-off point to deepen the network of a victim.
"The continued discovery of malicious software packages in popular repositories like PyPI is an alarming trend that can lead to widespread supply chain attacks," said JFrog CTO Asaf Karas. "The ability for attackers to use simple obfuscation techniques to introduce malware means developers have to be concerned and vigilant. This is a systemic threat, and it needs to be actively addressed on several layers, both by the maintainers of software repositories and by the developers."
Mostly on the programmers' side, precautionary action must form an important part of any CI/CD pipeline, including the confirmation of the signature in the library and the use of automated security instruments that analyze problematic code suggestions included inside the project. Automated tools like these may warn users about the use of harmful code.