Malware in PyPI Code Shows Supply Chain Risks

A code backdoor in a package on the Python Package Index demonstrates the importance of verifying code brought in from code repositories.

Dark Reading logo in a gray background | Dark Reading

The pace of modern software development requires code reuse, and effective code reuse requires code repositories. These collections of code fragments, functions, libraries, and modules allow developers to write applications without having to reinvent every small (or large) detail in their code. That makes repositories very valuable to developers – and very rich targets for malicious actors.

Researchers at ReversingLabs have discovered the most recent attack against a repository: a module that carries a backdoor found in popular Python repository Python Package Index (also known as PyPI or Cheese Shop). This isn't the first time PyPI has been attacked, but this one is notable because it involves malicious code thought to have been previously fixed.

"Essentially, a backdoor that has been reported before but hasn't been cleaned completely from the repository was still available and live on the Web page," says Robert Perica, principal engineer at ReversingLabs. And while the package involved is not ubiquitous, it is being used. "What's troubling about this package is that even though it's not a popular package, it averages 82 installs per month," Perica says.

The malware resides in a module named "libpeshnx," which is similar to an earlier module named "libpeshna" and was contributed by the same author. According to ReversingLabs' blog post on the discovery, the actual backdoor mechanism is very simple, involving a call to a command-and-control server followed by a wait to be activated.

A Supply Chain Attack
Recent years have seen an increase in the number of attacks launched against companies' supply chains. Most of these involve physical supply chains, but Perica says security professionals need to understand these code repositories – from PyPI to RubyGems, NuGet, and npm – are critical pieces of their software supply chain. That understanding should lead to strong security procedures around code drawn from the repositories.

"Many of these software repositories don't have such a thorough review process during user submissions," Perica says. "Essentially, any user can more or less submit anything."

He contrasts this with open source projects hosted on GitHub, where there is typically a review and approval process for new code added to the official release. Still, PyPI is trusted within the Python developer community. "PyPI is like the official package repository for the Python Software Foundation," Perica notes.

He points out that PyPI hosts more than 188,000 projects, with almost 1.4 million releases and roughly 350,000 users. PyPI is almost certain to be the repository used by beginning developers, Perica adds, whether they're working on individual projects or software for an employer.

Worst-Case Scenario
Writing secure code is complicated by the fact that modules tend to contain other modules. The "dependencies," or network of functions and modules brought together for a single library, can be many layers deep. Perica says the best solution for companies looking to minimize the risk from code repositories is to have a security team look at each library to be used and verify the contents.

It takes a lot of effort, he says, but that effort can still be dramatically less than that required to recover from a major software vulnerability that has been exploited.

Related Content:

 

Black Hat USA returns to Las Vegas with hands-on technical Trainings, cutting-edge Briefings, Arsenal open-source tool demonstrations, top-tier security solutions, and service providers in the Business Hall. Click for information on the conference and to register.

 

 

 

 

About the Author

Curtis Franklin, Principal Analyst, Omdia

Curtis Franklin Jr. is Principal Analyst at Omdia, focusing on enterprise security management. Previously, he was senior editor of Dark Reading, editor of Light Reading's Security Now, and executive editor, technology, at InformationWeek, where he was also executive producer of InformationWeek's online radio and podcast episodes

Curtis has been writing about technologies and products in computing and networking since the early 1980s. He has been on staff and contributed to technology-industry publications including BYTE, ComputerWorld, CEO, Enterprise Efficiency, ChannelWeb, Network Computing, InfoWorld, PCWorld, Dark Reading, and ITWorld.com on subjects ranging from mobile enterprise computing to enterprise security and wireless networking.

Curtis is the author of thousands of articles, the co-author of five books, and has been a frequent speaker at computer and networking industry conferences across North America and Europe. His most recent books, Cloud Computing: Technologies and Strategies of the Ubiquitous Data Center, and Securing the Cloud: Security Strategies for the Ubiquitous Data Center, with co-author Brian Chee, are published by Taylor and Francis.

When he's not writing, Curtis is a painter, photographer, cook, and multi-instrumentalist musician. He is active in running, amateur radio (KG4GWA), the MakerFX maker space in Orlando, FL, and is a certified Florida Master Naturalist.

Keep up with the latest cybersecurity threats, newly discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

You May Also Like


More Insights