In response to an increase in the number of malicious packets with open source, Open Source Security Foundation (Openssf) launched an initiative called Malicious Packages Repository. Since its launch, the repository has already accumulated more than 15,000 reports on malicious packages using data analysis systems from Opensf, Checkmarx, and Github.
Harmful packages are a type of malicious software that is disguised as open packages and distributed through popular repositories such as Pypi and NPM. These packages are used to target and attack developers or organizations that install and launch them. Infections can also impact the software supply chain, leading to consequences such as unauthorized access, data leakage, and even data destruction.
In recent months, developers have faced a series of cyber attacks involving malicious packages. For instance, in early October, researchers from ReversingLabs discovered a malicious package named Discordrat 2.0 on the NPM repository. This package contained a Trojan for Discord with Rutkin functionality, making it an ideal tool for beginner hackers.
In June, Checkmarx researchers revealed a campaign where cybercriminals found a way to inject their malicious code into NPM packages without altering the source code. They exploited abandoned AWS S3-buckets and replaced the necessary binary files for the packages to function.
The OpensSF package analysis project was created to detect malicious packages as soon as they appear. The approach involves loading, installing, and executing packages from widely used open source repositories while carefully monitoring team and network traffic. The Malicious Packages Repository addresses the issue of handling malicious packages in different repositories by providing a centralized public resource.
Reports in the Malicious Packages Repository are generated in the Open Source Vulnerability (OSV) format, commonly used to indicate vulnerabilities in open source projects.
The OpensSF’s Malicious Packages Repository aims to strengthen the security of the software supply chain by offering the community the necessary tools to protect against malicious packages and ensure software safety.