Software Repository attacks

Malicious packages on Pypi are growing. Both python packages and wheels. There is also the issue of fake packages that are hallucinated by ChatGPT etc being created and loaded into Pypi so that Developers who are being lazy and vibe coding will eventually download them and your code is faulty from scratch & won’t be picked up by any security software.

There are over 3000 known malicious packages with more being created daily.

Software BOMs are mandatory for all software being created these days .You need to know, not only where your packages come from and what your products use, but ALSO where the libraries THOSE packages used come from.

An example taken from this article from Palo Alto shows a few of these packages. These could bypass Windows SmartScreen & be used for a multiple of things, such as download malicious packages as the developer installing the package or library will have admin rights to do it.

This is from NCSC. The idea that Devops should “move quickly and deliver quickly” is probably the sole reason that CVEs are exploding, that software contains a LOT more faults than it used to & the blast radius is a lot larger. This is not something that cybersecurity can deal with on their own. Platform Engineering should be dictating what libraries the Devops teams can use & they should be researched heavily.

If you’re interested look at Chainguard secured packages to build your applications on.