List of software quality issues with the number of affected components.
category ALL
Policies
Info
Category
Problem
Proprietary ReversingLabs malware detection algorithms have determined that the software package contains one or more malicious components. The detection was made by either a static byte signature, software component identity, or a complete file hash. This malware detection method is considered highly accurate, and can typically attribute malware to previously discovered software supply chain attacks. It is common to have multiple supply chain attack artifacts that relate to a single malware incident.
Prevalence in PyPI community
0 packages
found in
Top 100
0 packages
found in
Top 1k
11 packages
found in
Top 10k
14.01k packages
in community
Next steps
If the software intent does not relate to malicious behavior, investigate the build and release environment for software supply chain compromise.
Avoid using this software package.
Problem
Threat researchers have manually inspected the software package and determined that it contains one or more malicious files. The detection was made by a hash-based file reputation lookup. This malware detection method is considered highly accurate, and can typically identify the malware family by name.
Prevalence in PyPI community
0 packages
found in
Top 100
0 packages
found in
Top 1k
10 packages
found in
Top 10k
14.02k packages
in community
Next steps
Investigate the build and release environment for software supply chain compromise.
Avoid using this software package.
Problem
Software components contain executable code that performs actions implemented during its development. These actions are called behaviors. In the analysis report, behaviors are presented as human-readable descriptions that best match the underlying code intent. While most behaviors are benign, some are exclusively used by malicious software with the intent to cause harm. When a software package matches behavior traits of malicious software, it becomes flagged by security solutions. It is highly likely that the software package was tampered with by a malicious actor or a rogue insider. Detected threat type matches the behaviors typically exhibited by the infostealer malware profile. Infostealers are commonly used to steal sensitive user data such as stored login details, financial information, and other personally identifiable information.
Prevalence in PyPI community
0 packages
found in
Top 100
0 packages
found in
Top 1k
3 packages
found in
Top 10k
2.05k packages
in community
Next steps
Investigate reported detections.
Investigate your build and release environment for software supply chain compromise.
You should delay the software release until the investigation is completed.
In the case this behavior is intended, rewrite the flagged code without using the malware-like behaviors.
Problem
Software components contain executable code that performs actions implemented during its development. These actions are called behaviors. In the analysis report, behaviors are presented as human-readable descriptions that best match the underlying code intent. Python Package Index (PyPI) repository is often abused by threat actors to publish software packages that exhibit malicious behaviors. Malware authors use numerous tactics to lure developers into including malicious PyPI packages in their software projects. Most malicious packages published on PyPI target developers and their workstations. However, some are designed to activate only when deployed in the end-user environment. Both types of Python malicious packages are detected by proprietary ReversingLabs threat hunting algorithms. This detection method is considered proactive, and it is based on Machine Learning (ML) algorithms that can detect novel malware. The detection is strongly influenced by behaviors that software components exhibit. Behaviors similar to previously discovered malware and software supply chain attacks may cause some otherwise benign software packages to be detected by this policy.
Prevalence in PyPI community
1 packages
found in
Top 100
18 packages
found in
Top 1k
104 packages
found in
Top 10k
16.5k packages
in community
Next steps
Investigate reported detections.
If the software intent does not relate to the reported behavior, investigate your build and release environment for software supply chain compromise.
You should delay the software release until the investigation is completed, or until the issue is risk accepted.
Consider rewriting the flagged code without using the marked behaviors.
Problem
Software developers use programming and design knowledge to build reusable software components. Software components are the basic building blocks for modern applications. Software consumed by an enterprise consists of hundreds, and sometimes even thousands of open source components. Software developers publish components they have authored to public repositories. While a new software project is a welcome addition to the open source community, it is not always prudent to indiscriminately use the latest components when building a commercial application. Irrespective of the software quality, the danger of being the first to try out a new project lies in the fact that the software component may contain novel, currently undetected malicious code. Therefore, it is prudent to review software component behaviors and even try out software component in a sandbox, an environment meant for testing untrusted code.
Prevalence in PyPI community
1 packages
found in
Top 100
13 packages
found in
Top 1k
37 packages
found in
Top 10k
443.06k packages
in community
Next steps
Check the software component behaviors for anomalies.
Consider exploratory software component testing within a sandbox environment.
Consider replacing the software component with a more widely used alternative.
Avoid using this software package until it is vetted as safe.
Problem
Software developers use programming and design knowledge to build reusable software components. Software components are the basic building blocks for modern applications. Software consumed by an enterprise consists of hundreds, and sometimes even thousands of open source components. Software developers publish components they have authored to public repositories. Developers that use open source components within their applications can specify the exact version of the component their application depends on. However, since components are frequently updated, some developers opt to always use the latest version of the software component. This helps reduce the number of vulnerabilities that open source components can introduce in the application. However, it does expose the developer and the build environment to risks associated with software supply chain attacks. Should a threat actor hijack the ownership of the software component publishing account, or even its publishing token, they could issue a malicious update that can infect the build environment or the application itself. To ensure that the build system updates the software component to a malicious version, threat actors often set the version number to an unusually high value. If a build system is instructed to use the latest component version, it will install the component with the highest version number, and execute its code.
Prevalence in PyPI community
0 packages
found in
Top 100
1 packages
found in
Top 1k
7 packages
found in
Top 10k
492 packages
in community
Next steps
Review software component versions to ensure there were no accidental code updates.
If the software component versions differ from expected, investigate the build and release environment for software supply chain compromise.
Consider pinning the software component version to prevent accidental code updates.
Avoid using this software package until it is vetted as safe.
Problem
Software components contain executable code that performs actions implemented during its development. These actions are called behaviors. In the analysis report, behaviors are presented as human-readable descriptions that best match the underlying code intent. While most behaviors are benign, some are commonly abused by malicious software with the intent to cause harm. When a software package shares behavior traits with malicious software, it may become flagged by security solutions. Any detection from security solutions can cause friction for the end-users during software deployment. While the behavior is likely intended by the developer, there is a small chance this detection is true positive, and an early indication of a software supply chain attack.
Prevalence in PyPI community
20 packages
found in
Top 100
92 packages
found in
Top 1k
907 packages
found in
Top 10k
43.88k packages
in community
Next steps
Investigate reported detections.
If the software intent does not relate to the reported behavior, investigate your build and release environment for software supply chain compromise.
You should delay the software release until the investigation is completed, or until the issue is risk accepted.
Consider rewriting the flagged code without using the marked behaviors.
Problem
Out-of-band application security testing tools (OAST) rely on external servers to detect security vulnerabilities in web applications. This form of security testing inspects the web application from the outside in, similar to how the attackers would probe its defenses. External domains are commonly used to facilitate out-of-band security testing. Attackers commonly abuse tools designed for security testing to monitor network traffic and find weaknesses that can be exploited. While the presence of domains related to OAST tools does not imply malicious intent, all of their uses in a software package should be documented and approved. Attackers might have purposely injected security testing tools in the software package to monitor the network traffic of the infected computer system. It is also possible that the software package has mistakenly included a part of its testing infrastructure during packaging.
Prevalence in PyPI community
0 packages
found in
Top 100
2 packages
found in
Top 1k
3 packages
found in
Top 10k
673 packages
in community
Next steps
Investigate reported detections.
If the software should not include these network references, investigate your build and release environment for software supply chain compromise.
You should delay the software release until the investigation is completed, or until the issue is risk accepted.
Consider removing all references to flagged network locations.
Problem
Software developers use programming and design knowledge to build reusable software components. Software components are the basic building blocks for modern applications. Software consumed by an enterprise consists of hundreds, and sometimes even thousands of open source components. Software developers publish components they have authored to public repositories. While a new software project is a welcome addition to the open source community. it is not always prudent to indiscriminately use the latest components when building a commercial application. Irrespective of the software quality, the danger of using components that are rarely used to build applications lies in the fact that the software component may contain novel, currently undetected malicious code. Therefore, it is prudent to review software component behaviors and even try out software component in a sandbox, an environment meant for testing untrusted code.
Prevalence in PyPI community
1 packages
found in
Top 100
11 packages
found in
Top 1k
910 packages
found in
Top 10k
717.09k packages
in community
Next steps
Check the software component behaviors for anomalies.
Consider exploratory software component testing within a sandbox environment.
Consider replacing the software component with a more widely used alternative.
Avoid using this software package until it is vetted as safe.
Problem
Operating systems allow multiple user accounts to coexist on a single computer system. Each registered user has identity information associated with their account. At the very least, user accounts consist of a user name and an optional password. In some cases, user account data may also include personally identifiable information. Extended personal information may include user's given and last name, their email and mailing address, personal photo and their telephone number. Financially motivated attackers may seek to collect personal information for purposes of selling the private data to a third-party. Malicious code that typically exhibits these behavior traits is commonly referred to as an information stealer. While the presence of code that accesses identity information does not necessarily imply malicious intent, all of its uses in a software package should be documented and approved. Accessing identity information is a very common behavior for software packages. One example of acceptable use for such functions is verifying that the active user has purchased a software license that allows them to run the application.
Prevalence in PyPI community
16 packages
found in
Top 100
113 packages
found in
Top 1k
669 packages
found in
Top 10k
19.67k packages
in community
Next steps
Investigate reported detections as indicators of software tampering.
Consult Mitre ATT&CK documentation: T1033 - System Owner/User Discovery.