In addition, there are no protections at the end level to detect malicious packages. “Anyone can write a piece of code and just upload it to those platforms,” Yehuda Gelb, research engineer at Checkmarx, tells CSO. “For example, in Python, you can just create a Python package and upload it, and there’s really no one in PyPi who says, ‘okay, you can’t upload this’ unless someone like us catches them, and we report back. to them, and they bring it down.”
Code repositories do their best to check for malicious packages, but ensuring that the tens of thousands of packages they receive each day are malware-free is not their job. “The problem is that content uploaded to registered open source sites is not checked,” Josef Harush, head of software supply chain security at Checkmarx, tells CSO. “
“If I want to publish a GitHub repository, I can do that,” Harush said. “It will become public in an instant. I don’t have filters that do that. If someone reports my GitHub repository as containing malware, then GitHub’s security teams will get involved. It may take some time, and it is possible, after that, the malware package will be removed or hidden from the public. But that depends on the public flagging those donations as bad.”
Source link