PyPI, the open-source repository used by both large and small organizations to download code libraries, was hosting 11 malicious packages that were downloaded more than 41k times in one of the latest reports of an incident of this nature.
JFrog found the software supply chain risk. This security firm monitors PyPI, and other repos for malware said that the packages were notable for the lengths the developers went to disguise the code from network detectors.
The measures taken include a niche mechanism known as a reverse shell which can be used to proxy communications with control servers, using the Fastly CDN (Content Network Delivery).
A trend of sophisticated malware
Shachar Manache, the senior director of JFrog research, wrote in an email that package managers are growing as a powerful vector for the unintentional installation of malicious code, as demonstrated by the 11 packages.
The other concern is how sophisticated the malicious software developers are becoming.
The advanced evasion techniques (including DNS tunneling and novel exfiltration) signal a trend that attackers could become much harder to stop as time goes by. The researchers reported that PyPI removed all the malicious packages once JFrog reported them.
One of the early cases of malware in repos
One of the first reported cases of malware distribution using repos was in 2016 when a college student uploaded malicious packaged to PyPI, npm, and RubyGems.
He used names that were very similar to those already submitted packaged with similar names. Over several months, the malicious code was executed more than 45,000 times on more than 17,000 separate domains.
More than half the time, the code was given crucial admin access. Two of the affected domains ended with .mil, meaning that people in the military may have run the script.