Not too long ago, repositories were not targeted. If you used a library or repository, there was a reasonable assumption it could be trusted and used without an issue. There started to be a trend around 2017 with malicious packages being placed in the Python Package Index (PyPI). There was also the case of the University of Minnesota sending buggy packages to Linux as a research experiment. Somehow this was approved by their research ethics board. The University was banned for their behavior from the repository.
In January 2024, more malicious packages were detected in the
PyPI. One piece of malware noted this time around was the White Snake Stealer.
These were uploaded by a bad actor named “WS”. The malware is designed to harvest
data from web browsers, cryptocurrency wallets, and apps.
This is one reason not to blindly trust the repositories.
You never know. Generally, you will be fine. As President Reagan is often
quoted, “Trust, but verify.” There are several tools openly available to scan
these for vulnerabilities. The last thing you want is to poison your elegant
code with malicious code from a “trusted” repository.
Services
Enterprise and Embedded System Cybersecurity Engineering & Architecture
Red Team Product Pentesting | HW & SW BoMs | CBoM |
Vulnerability Management | Tabletop Exercises (TTX) |
Embedded Systems Architecture | Threat Intelligence |
TARA (Threat Assessment and Remediation Analysis) |
Supply Chain Cybersecurity Review
Reverse Engineering
charles.parker@mielcybersecurity.net 810-701-5511
No comments:
Post a Comment