From Poison packages – “Supply Chain Risks” user hits Python community with 4000 fake modules
The ease with which trusting users download and install new Python (and Node.js, and Ruby, etc.) components has led to a range of cybercriminal attacks against package managers.
Crooks sometimes Trojanise the repository of a legitimate project, typically by guessing or cracking the password of a package owner’s account, or by helpfully but dishonestly offering to “assist” with a project that the original owner no longer has time to look after.
Once the fake version is uploaded to the genuine repository, users of the now-hacked package automatically get infected as soon as they update to the new version, which works just as it did before, except that it includes hidden malware for the crooks to exploit.
Another trick involves creating Trojanised public versions of private packages that the attacker knows are used internally by a software company.
The public version of the package is given a higher version number that the internal version, and if the company hasn’t secured its auto-updating processes correctly, the attacker may be able to trick a company’s whole development team, or even the organisation’s official software build system, into updating private code from an untrusted (and malicious) external source.
Cybersecurity researcher Alex Birsan famously made well over $100,000 in bug bounties recently by feeding external versions of supposedly internal software packages into dozens of IT giants including Apple, PayPal, Microsoft and Shopify.
This sort of trick is known as a supply chain attack, for obvious reasons.
Opinion:
This is same attack that happened to Microsoft with Solarwinds. It's staining all open source projects.
Note: This report reports what was found, but calls into question all the minor backdoors that might be still there and/or introduced at any time.
Who's gonna check all these libs for security? Open source usually means built by non-paid enthusiastic newbies with allot of spare time, not experts. What should happen is top talented security firms to be hire to examine these libs. So far there are reviews as one-offs for bragging rights. Who's gonna pay for security reviews? This means you have to personally review every open source library for security, before using.
Therefore I say, open source is dead.