Cyber security experts have warned that the targeting of the Python Package Index (PyPI) repository is likely to continue given its popularity and potential to cause massive disruption.
PyPI has been targeted numerous times in the past year and has been described as a “highly lucrative target” for cyber criminals.
The repository is the official package index for the Python programming language - the most popular language according to the TIOBE index.
"The comparative naivety of the average user, combined with its prolific use, has led to an attacker's dream,” said Liam Follin, CHECK team leader and consultant at Pentest People, to ITPro.
“If you download and run a Python package, you’re running Python code on your own machine. If, just by publishing a package, you could compromise a large number of machines, it is easy to see why an attacker salivates at the idea.”
Following the attack on PyPI over the weekend, security experts have called on the open source community to “develop new infrastructure and invest more in sharing attack data”.
PyPI attack: What happened?
Registration for new users and project packages on the PyPI index was temporarily blocked over the weekend due to a high volume of “malicious activity”.
In a notice to users, maintainers of the repository said they had detected a significant volume of malicious projects and users being created on the repository, prompting the strict response.
RELATED RESOURCE
The outage lasted for nearly 29 hours and appears to have been exacerbated by the fact that some admins were on leave for the weekend, the status report indicated.
“New user and new project name registration on PyPI is temporarily suspended,” admins said. “The volume of malicious users and malicious projects being created on the index in the past week has outpaced our ability to respond to it in a timely fashion, especially with multiple PyPI administrators on leave.”
“While we re-group over the weekend, new user and new project registration is temporarily suspended.”
While exact details on the incident or the threat actors involved are yet to be disclosed, there are indications that the attack was automated.
Growing open source threats
Researchers at Checkmarx warned that the PyPI attack bears similarities to a host of attacks on open source registries in recent years, and is an issue that has grown in both frequency and intensity.
In August last year, PyPI admins issued a warning over a sophisticated phishing campaign that aimed to steal credentials from package developers.
The JuiceLedger phishing campaign against PyPI contributors successfully compromised a “number of legitimate packages”, researchers at Sentinel Labs revealed at the time.
“In the past few months, we have witnessed actors publishing overwhelming amounts of malicious packages in several open source registries,” said Tzachi ‘Zack’ Zornstain, head of software supply chain at Checkmarx.
“Among these is the NPM incident early last month that flooded the JavaScript package manager and caused a sporadic denial of service. Late last year, we saw a similar incident on the Nuget package manager, which included over 140,000 malicious packages.”
Understanding threat actors key to open source safety
Checkmarx noted that this type of abuse “isn’t specific to PyPI” and will require more concise communication across the open source community to mitigate growing threats.
“We must change the mindset from detecting attacks to identifying attackers,” Zornstain said.
“Only by understanding the attackers’ TTPs and raising the bar will we succeed in keeping the open source community safe. This will require the open source ecosystem to develop new infrastructure and invest more in sharing attack data,” he added.
Follin suggested that the very nature of the PyPI repository makes it difficult to proactively mitigate threats, however.
“It’s very difficult,” he told ITPro. “PyPI is run by a charity, the Python Foundation, which operates with limited funds. The repository is effectively built on trust, and unfortunately, trust is often misplaced in today's world.”
“In effect, it is down to the end user to ensure the PyPI package they are downloading isn't malicious. At the end of the day, there is only so much The Python Foundation can do to keep things safe.”
-
Bigger salaries, more burnout: Is the CISO role in crisis?In-depth CISOs are more stressed than ever before – but why is this and what can be done?
-
Cheap cyber crime kits can be bought on the dark web for less than $25News Research from NordVPN shows phishing kits are now widely available on the dark web and via messaging apps like Telegram, and are often selling for less than $25.
-
Capita's handling of cyber attack shows companies still fail at breach reportingAnalysis Capita initially told customers there was “no evidence” of data having been compromised in the March cyber attack
-
Malware being pushed to businesses by search engines remains a pervasive threatNews High-profile malvertising campaigns in recent months have surged
-
There's only one way to avoid credential stuffing attacksOpinion PayPal accounts were breached last year due to a credential stuffing attack, but can PayPal avoid taking responsibility?
-
Five things to consider before choosing an MFA solutionIn-depth Because we all should move on from using “password” as a password
-
Cyber security suffers from a communication problemNews Negative language around ‘human failures’ is eroding trust between security teams and broader business functions - it has to stop
-
Does LastPass really deserve a last chance?Opinion After several disastrous security incidents and a communications breakdown, it’s time to leave LastPass for pastures new
-
CISA: Tech industry 'shouldn't tolerate' Patch Tuesday, unsecured softwareNews CISA director Jen Easterly said the tech industry has allowed the widespread acceptance of "deviant behaviours" to make a mockery of cyber security
-
What is the spell-jacking vulnerability and how can your business avoid exposing data?
In-depth Spell-jacking vulnerabilities are threatening to unwittingly leak data to third parties, undermining any drive to protect privacy
