On May 20th, in an unprecedented move, PyPI (the official Python Package manager) announced they are temporarily suspending new users and new projects registration. This dramatic announcement follows a long line of incidents in which malicious packages were uploaded to PyPI, as well as other package managers. Following this topic closely for over a year, we in Legit observe a huge increase in the number of attackers trying to exploit this attack surface.
As the PyPI team stated: “The volume of malicious users and malicious projects being created on the index in the past week has outpaced our ability to respond to it in a timely fashion.” This incident was resolved on May 21st.
What are the attacks PyPI is dealing with?
A growing number of malicious packages are being uploaded to PyPI by adversaries looking to exploit the victim’s processing power for crypto-mining or DDoS attacks, or hurt the victim directly with Ransomware and data leaks.
There are a few ways these kinds of attacks can be carried out. One is by “Typosquatting” packages – malicious actors will upload packages with names that appear identical to popular packages but contain a slight difference, like a typing error, and wait for someone to make a mistake by selecting the wrong one.
Another way is by uploading a more “genuine” package, that has hidden malicious code. The package will do what it claims, but between the lines, it will also execute code that installs a backdoor in your software, for example.
Some recent attacks include:
“Colour-Blind” Malware: Discovered by Kroll, a risk consulting firm, a PyPI package called “colourfool” was actually an information stealer and remote access tool.
“W4SP” Malware: Information stealing malware discovered in 5 packages with more than 100 downloads each.
How can Legit help?
Legit can help secure an organization’s SDLC from supply-chain attacks by enabling various security controls that harden the pipeline and can prevent and build resiliency to these types of attacks - whether it is code tampering, a malicious insider or an untrusted 3rd party.
In addition, an SCA scanner can help identify the use of vulnerable packages in your code, but it’s not always enough, both because of missing coverage, and the fact that SCA scanners report malicious libraries only after they have been identified by the industry as malicious. With Legit, you can see exactly which part of your organization is covered by scanners and which remains unprotected, on top of managing the received alerts, and harden your pipelines for a case of a zero-day vulnerability.