JFrog’s security research team continuously monitors popular open source software (OSS) repositories with their automated tooling to report vulnerable and malicious packages to the repository operators. Earlier this year, they uncovered several malicious packages targeting the private data of developers and downloaded about 30,000 times. Now they are publishing the details about 11 new malware packages that were recently discovered and reported to the PyPI maintainers and promptly removed.
Shachar Menashe, Senior Director of Research at ink text=”JFrog Security” url=”https://www.jfrog.com /”] comments: “Package managers are a growing and powerful vector for unintentionally installing malicious code, and as we discovered with these 11 new PyPI packages, the attackers are becoming more and more sophisticated in their approach. The advanced circumvention techniques used in these malware packages, such as novel exfiltration or even DNS tunneling, signal a disturbing trend that attackers are increasingly sophisticated and elaborate in their attacks on open source software with the aim of remaining undetected and infecting as many machines as possible.
Although DNS tunneling is not a new method that attackers use to go undetected, it is the first time we have discovered it in packages uploaded to PyPI. Package managers can abstract many of the actions that occur in the background when installing third-party software. This also includes the decision to use a local package from the company’s internal repository or a package of the same name from a public and potentially malicious source. This can lead to the automatic and recursive import of dependencies, each of which could be compromised. Today’s blog is not about pointing out vulnerabilities in the version of PyPI developed by the community. Rather, we report on malicious packages that spread through developers who use PyPI without their knowledge.
Our goal is to ensure that the community-run Python package registry is free of malicious packages by automatically scanning popular open source software repositories and by continuously reporting malicious packages to maintainers, thereby reducing risks to the software supply chain.“