Cybersecurity and Repositories
Not too long ago, repositories were not targeted. If you used a library or repository, there was a reasonable assumption it could be trusted and used without an issue. There started to be a trend around 2017 with malicious packages being placed in the Python Package Index (PyPI).
There was also the case of the University of Minnesota sending buggy packages to Linux as a research experiment. Somehow this was approved by their research ethics board. The University was banned for their behavior from the repository.
In January 2024, more malicious packages were detected in the PyPI. One piece of malware noted this time around was the White Snake Stealer. These were uploaded by a bad actor named “WS”. The malware is designed to harvest data from web browsers, cryptocurrency wallets, and apps. This is one reason not to blindly trust the repositories. You never know. Generally, you will be fine. As President Reagan is often quoted, “Trust, but verify.” There are several tools openly available to scan these for vulnerabilities. The last thing you want is to poison your elegant code with malicious code from a “trusted” repository
About the Author
Charles Parker, II has been working in the info sec field for over a decade, performing pen tests, vulnerability assessments, consulting with small- to medium-sized businesses to mitigate and remediate their issues, and preparing IT and info sec policies and procedures. Mr. Parker’s background includes work in the banking, medical, automotive, and staffing industries.
コメント