This is a problem with every open-source tool, including everything from dotnet to node and its various JavaScript friends.
Supply chain risk when building open source is a real concern and anyone not using suitable scanning tools is a fool and at risk. Thankfully many are available as a free option for open source to help you avoid these issues. Snyk and Sonar have tools that are able to support many different languages,, but using language-based ones should not be discounted as everything in security should be done defence in depth.
Adding items to your build chain takes away from a developer forgetting to run the checks although it would be good practice for the safety report in this case to be part of a pull request. Doing builds as part of commits to the branch is a great thing as this could then have run safety and failed the build if any issues found
------------------------------
Peter McLarty
Data & IT Security Manager
Redbourne Business Systems
------------------------------
Original Message:
Sent: Jun 29, 2022 04:26:32 AM
From: Ashwani Paliwal
Subject: Why the ecosystem of Python is in danger?
There are advisories if the vulnerability has been identified inside python in-built libraries.
But no advisories if a 3rd party and especially less-popular library has been identified as malware. Most security folks rely on whitepapers and publications to abreast them of any such findings like this one https://www.bleepingcomputer.com/news/security/pypi-python-packages-caught-sending-stolen-aws-keys-to-unsecured-sites/
------------------------------
Ashwani Paliwal
CEO
SecOps Solution
Original Message:
Sent: Jun 29, 2022 04:11:09 AM
From: Alex Sharpe
Subject: Why the ecosystem of Python is in danger?
Interesting. Have any alerts, advisories, or something similar been issued for this? Could not find anything after a cursory look.
I know there are both private and Government efforts looking at this class of problems.
------------------------------
Alex Sharpe
Principal
Sharpe42
[email protected]
Original Message:
Sent: Jun 28, 2022 01:13:02 AM
From: Ashwani Paliwal
Subject: Why the ecosystem of Python is in danger?
Python's PyPI repository is broken!
What's PyPI?
If you have used "pip install" to install any python package, you are downloading it from a PyPI repository.
In 99% of your use cases, you have never opened the installed package to check its source code and that's fine, you aren't expected to.
It's a library and it is supposed to provide a utility for you to build a more complex program where all your focus typically lies.
But time and again its been discovered that many of these libraries are also installing either a crypto mining program or stealing your sensitive information like AWS keys and GitHub account credentials.
This has been such a consistent problem that it has ceased to gather any attention altogether now.
How is this possible you may ask? Well, it's because anyone can upload a new package on the PyPI repository and its maintainers do little to check for any malicious code being uploaded.
The most common trap is libraries with similar-looking names. "requests" is a legitimate library, whereas "request" is malware which every now and then keeps popping up on PyPI.
Now if you mistakenly happen to type the command
"pip install request"
you have successfully loaded a malware that steals your passwords stored in the system.
Python was listed as one of the top 3 popular languages in the StackOverflow 2021 survey. Trust in the ecosystem is a big factor in Python's universal usage and PyPI's current condition has the capabilities to single-handedly destroy it.
This needs a fix!
------------------------------
Ashwani Paliwal
CEO
SecOps Solution
------------------------------