It is a while since I have written about the threat actors getting inside software repositories and infecting widely used software packages with malware. Subsequently these packages are then innocently used by web and software developers, infecting their work which is then passed onto the end client, potentially you.
The use of software packages and software repositories is an accepted way for developers to deliver high quality, functional code – but it is this wide use that makes this practise such a target for threat actors. Infect one package and then wait for that to impact dozens, hundreds or even thousands of end users.
Some checks and balances are in place with the major repositories but of course the hackers get round those, for instance by buying up orphaned software or exploiting valid credentials.
Hundreds of malicious Python packages found stealing sensitive data (bleepingcomputer.com)
The example in the above article, was tracked by researchers across more than 270 packages and to have been downloaded up to 75,000 times. Each one of those downloads could lead to information being stolen from the end user and the developer, depending how they use their code in house.
It is worth reading the article to see how easy the infection is and how far reaching and sophisticated the information stealing malware is. It will give you an understanding of the problem we face.
Your takeaway from this
This is a classic supply chain attack.
You or a cyber security professional needs to take responsibility for any code your organisation uses, written by independent software and web developers for you.
We have a checklist that we use when we are helping clients with these issues, that in all cases, EXCEPT ONE, when we have used it, has been well received by the developers. It is designed so we can work together to deliver a better service to our mutual client. (It has also led to work with developers to improve their delivery to other clients.)
Interested?
Clive Catton MSc (Cyber Security) – by-line and other articles
