{"id":18981,"date":"2022-05-09T03:10:28","date_gmt":"2022-05-09T11:10:28","guid":{"rendered":"http:\/\/www.palada.net\/index.php\/2022\/05\/09\/news-12714\/"},"modified":"2022-05-09T03:10:28","modified_gmt":"2022-05-09T11:10:28","slug":"news-12714","status":"publish","type":"post","link":"http:\/\/www.palada.net\/index.php\/2022\/05\/09\/news-12714\/","title":{"rendered":"A scanning tool for open-sourced software packages? Yes, please!"},"content":{"rendered":"

Credit to Author: Malwarebytes Labs| Date: Mon, 09 May 2022 10:49:02 +0000<\/strong><\/p>\n

The Open Source Security Foundation (OpenSSF), a collective of industry leaders aimed at improving the security of open-source software (OSS), recently announced the release of a prototype tool<\/a> that scans for malicious packages in open source repositories. This tool, conveniently called Package Analysis<\/a>, analyzed and identified at least 200<\/a> malicious packages uploaded to PyPI<\/a> (The Python Package Index) and npm<\/a> after a month of analysis.<\/p>\n

Many have embraced open source for the fun and exciting ways of using it. Organizations of all sizes and industries rely on them for their day-to-day tasks, including critical ones. But because OSS requires people and businesses\u2014sometimes, governments\u2014to trust software developers unquestioningly, open source is susceptible to several risks, including exploitation.<\/p>\n

Caleb Brown, who is part of Google’s Open Source Security Team and OpenSSF’s Securing Critical Projects Working Group, recognizes the considerable role open source plays in the software world and how “it’s far too easy for bad actors to circulate malicious packages that attack the systems and users running that software.”<\/p>\n

“Unlike mobile app stores that can scan for and reject malicious contributions, package repositories have limited resources to review the thousands of daily updates and must maintain an open model where anyone can freely contribute,” Brown said.<\/p>\n

Several open source projects have been the subject of malware incidents. One was found to contain a cryptominer<\/a>, and some have been hijacked to include malware<\/a>. And in the most recent incident, some open source developers decided to take a stand<\/a> against Russia’s invasion of Ukraine. To everyone’s dismay, the protestware also contained a wiper feature designed to destroy all files on systems geolocated in Russia or Belarus.<\/p>\n

The Package Analysis project<\/h2>\n

Package Analysis doesn’t only answer essential “what” questions about a package\u2014”what files does it access, what addresses does it connect to, and what commands does it run?”\u2014but also looks at its behavior over time. This is to alert people when a usually safe package starts to act suspiciously.<\/p>\n

“Unlike mobile app stores that can scan for and reject malicious contributions, package repositories have limited resources to review the thousands of daily updates and must maintain an open model where anyone can freely contribute,” Brown said. “As a result, malicious packages like ua-parser-js<\/a><\/code>, and node-ipc<\/a><\/code> are regularly uploaded to popular repositories despite their best efforts, with sometimes devastating consequences for users.”<\/p>\n

Package Analysis performs dynamic analysis of all packages uploaded to known OSS repositories and records results in a table in BigQuery<\/a>, Google’s cloud warehouse. The scanning tool alerts OSS users of malicious changes to packages they use before they download them. Overall, this secures the software supply chain.<\/p>\n

It’s no surprise to see Google supporting the project, describing it as “a welcome step toward helping secure the open source packages we all depend on.”<\/p>\n

OpenSSF invites anyone interested to get involved in the project. Here is a wishlist of future goals for the project:<\/p>\n