Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Application Security

Malware in PyPI Code Shows Supply Chain Risks

A code backdoor in a package on the Python Package Index demonstrates the importance of verifying code brought in from code repositories.

The pace of modern software development requires code reuse, and effective code reuse requires code repositories. These collections of code fragments, functions, libraries, and modules allow developers to write applications without having to reinvent every small (or large) detail in their code. That makes repositories very valuable to developers – and very rich targets for malicious actors.

Researchers at ReversingLabs have discovered the most recent attack against a repository: a module that carries a backdoor found in popular Python repository Python Package Index (also known as PyPI or Cheese Shop). This isn't the first time PyPI has been attacked, but this one is notable because it involves malicious code thought to have been previously fixed.

"Essentially, a backdoor that has been reported before but hasn't been cleaned completely from the repository was still available and live on the Web page," says Robert Perica, principal engineer at ReversingLabs. And while the package involved is not ubiquitous, it is being used. "What's troubling about this package is that even though it's not a popular package, it averages 82 installs per month," Perica says.

The malware resides in a module named "libpeshnx," which is similar to an earlier module named "libpeshna" and was contributed by the same author. According to ReversingLabs' blog post on the discovery, the actual backdoor mechanism is very simple, involving a call to a command-and-control server followed by a wait to be activated.

A Supply Chain Attack
Recent years have seen an increase in the number of attacks launched against companies' supply chains. Most of these involve physical supply chains, but Perica says security professionals need to understand these code repositories – from PyPI to RubyGems, NuGet, and npm – are critical pieces of their software supply chain. That understanding should lead to strong security procedures around code drawn from the repositories.

"Many of these software repositories don't have such a thorough review process during user submissions," Perica says. "Essentially, any user can more or less submit anything."

He contrasts this with open source projects hosted on GitHub, where there is typically a review and approval process for new code added to the official release. Still, PyPI is trusted within the Python developer community. "PyPI is like the official package repository for the Python Software Foundation," Perica notes.

He points out that PyPI hosts more than 188,000 projects, with almost 1.4 million releases and roughly 350,000 users. PyPI is almost certain to be the repository used by beginning developers, Perica adds, whether they're working on individual projects or software for an employer.

Worst-Case Scenario
Writing secure code is complicated by the fact that modules tend to contain other modules. The "dependencies," or network of functions and modules brought together for a single library, can be many layers deep. Perica says the best solution for companies looking to minimize the risk from code repositories is to have a security team look at each library to be used and verify the contents.

It takes a lot of effort, he says, but that effort can still be dramatically less than that required to recover from a major software vulnerability that has been exploited.

Related Content:

 

Black Hat USA returns to Las Vegas with hands-on technical Trainings, cutting-edge Briefings, Arsenal open-source tool demonstrations, top-tier security solutions, and service providers in the Business Hall. Click for information on the conference and to register.

 

 

 

 

Curtis Franklin Jr. is Senior Editor at Dark Reading. In this role he focuses on product and technology coverage for the publication. In addition he works on audio and video programming for Dark Reading and contributes to activities at Interop ITX, Black Hat, INsecurity, and ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Threaded  |  Newest First  |  Oldest First
44% of Security Threats Start in the Cloud
Kelly Sheridan, Staff Editor, Dark Reading,  2/19/2020
Zero-Factor Authentication: Owning Our Data
Nick Selby, Chief Security Officer at Paxos Trust Company,  2/19/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
6 Emerging Cyber Threats That Enterprises Face in 2020
This Tech Digest gives an in-depth look at six emerging cyber threats that enterprises could face in 2020. Download your copy today!
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-8818
PUBLISHED: 2020-02-25
An issue was discovered in the CardGate Payments plugin through 2.0.30 for Magento 2. Lack of origin authentication in the IPN callback processing function in Controller/Payment/Callback.php allows an attacker to remotely replace critical plugin settings (merchant ID, secret key, etc.) and therefore...
CVE-2020-8819
PUBLISHED: 2020-02-25
An issue was discovered in the CardGate Payments plugin through 3.1.15 for WooCommerce. Lack of origin authentication in the IPN callback processing function in cardgate/cardgate.php allows an attacker to remotely replace critical plugin settings (merchant ID, secret key, etc.) and therefore bypass ...
CVE-2020-9385
PUBLISHED: 2020-02-25
A NULL Pointer Dereference exists in libzint in Zint 2.7.1 because multiple + characters are mishandled in add_on in upcean.c, when called from eanx in upcean.c during EAN barcode generation.
CVE-2020-9382
PUBLISHED: 2020-02-24
An issue was discovered in the Widgets extension through 1.4.0 for MediaWiki. Improper title sanitization allowed for the execution of any wiki page as a widget (as defined by this extension) via MediaWiki's } parser function.
CVE-2020-1938
PUBLISHED: 2020-02-24
When using the Apache JServ Protocol (AJP), care must be taken when trusting incoming connections to Apache Tomcat. Tomcat treats AJP connections as having higher trust than, for example, a similar HTTP connection. If such connections are available to an attacker, they can be exploited in ways that ...