Hot Topics
Security Bloggers Network Vulnerabilities 
SBN

PyPi ‘Cheese Shop’ Malware Illustrates Software Supply Chain Risk Vector

Katie McCaskey by Katie McCaskey on July 22, 2019

Recent malware installed in PyPI underscores the need for code verification at the code repository level to defend the software supply chain.

Known as PyPI or “Cheese Shop”, the Python Package Index has been the target of misuse on several occasions. Most recently it fell victim to typosquatting, an intrusion method that replaces a known component with a compromised one with similar spelling. (In this case, libpeshnx versus libpeshka.)

Close, But No Cigar

Typosquatting means that introducing risk can be as simple as two transposed letters in a file name. Poor project hygiene allows this kind of intrusion to go undetected. While the risk was reported earlier, these misspelled and malicious components were still available for download on the component’s website.

“This [risk] is notable because it involves malicious code thought to have been previously fixed,” writes Curtis Franklin, Jr., at DarkReading.

Package repository managers, such as PyPI, RubyGems, and npm, sit between open source packages available for download and in-house development teams. Malicious actors circumvented the package repository manager by inserting code into the (previously approved) component.

This vector is a classic case for why understanding open source code dependencies is critical. It’s not enough to know top level package names and associate those with known vulnerabilities. The Cheese Shop hacks prove that what those top level packages contain, and their access to other components down the software supply chain, are where the complications lie in keeping code safe. Users were unaware of the compromised parts. This gave bad actors the potential for lateral access or rights to other components.

Who Moved My Cheese?

As deployed the Cheese Shop intrusion “involv[ed] a call to a command-and-control server followed by a wait to be activated,” writes Franklin. Could this hack have been stopped or headed off at (Read more...)

*** This is a Security Bloggers Network syndicated blog from Sonatype Blog authored by Katie McCaskey. Read the original post at: https://blog.sonatype.com/pypi-cheese-shop-malware-illustrates-software-supply-chain-risk-vector

Katie McCaskey , , , , , ,