sketchfab-spinner

Problem

Software components contain executable code that performs actions implemented during its development. These actions are called behaviors. In the analysis report, behaviors are presented as human-readable descriptions that best match the underlying code intent. Python Package Index (PyPI) repository is often abused by threat actors to publish software packages that exhibit malicious behaviors. Malware authors use numerous tactics to lure developers into including malicious PyPI packages in their software projects. Most malicious packages published on PyPI target developers and their workstations. However, some are designed to activate only when deployed in the end-user environment. Both types of Python malicious packages are detected by proprietary ReversingLabs threat hunting algorithms. This detection method is considered proactive, and it is based on Machine Learning (ML) algorithms that can detect novel malware. The detection is strongly influenced by behaviors that software components exhibit. Behaviors similar to previously discovered malware and software supply chain attacks may cause some otherwise benign software packages to be detected by this policy.

Problem

Software developers use programming and design knowledge to build reusable software components. Software components are the basic building blocks for modern applications. Software consumed by an enterprise consists of hundreds, and sometimes even thousands of open source components. Software developers publish components they have authored to public repositories. While a new software project is a welcome addition to the open source community, it is not always prudent to indiscriminately use the latest components when building a commercial application. Irrespective of the software quality, the danger of being the first to try out a new project lies in the fact that the software component may contain novel, currently undetected malicious code. Therefore, it is prudent to review software component behaviors and even try out software component in a sandbox, an environment meant for testing untrusted code.

Prevalence in PyPI community

No prevalence information at this time

Problem

Software developers use programming and design knowledge to build reusable software components. Software components are the basic building blocks for modern applications. Software consumed by an enterprise consists of hundreds, and sometimes even thousands of open source components. Software developers publish components they have authored to public repositories. Developers that use open source components within their applications can specify the exact version of the component their application depends on. However, since components are frequently updated, some developers opt to always use the latest version of the software component. This helps reduce the number of vulnerabilities that open source components can introduce in the application. However, it does expose the developer and the build environment to risks associated with software supply chain attacks. Should a threat actor hijack the ownership of the software component publishing account, or even its publishing token, they could issue a malicious update that can infect the build environment or the application itself. To ensure that the build system updates the software component to a malicious version, threat actors often set the version number to an unusually high value. If a build system is instructed to use the latest component version, it will install the component with the highest version number, and execute its code.

Prevalence in PyPI community

No prevalence information at this time

Problem

Software components contain executable code that performs actions implemented during its development. These actions are called behaviors. In the analysis report, behaviors are presented as human-readable descriptions that best match the underlying code intent. While most behaviors are benign, some are commonly abused by malicious software with the intent to cause harm. When a software package shares behavior traits with malicious software, it may become flagged by security solutions. Any detection from security solutions can cause friction for the end-users during software deployment. While the behavior is likely intended by the developer, there is a small chance this detection is true positive, and an early indication of a software supply chain attack.

Problem

Out-of-band application security testing tools (OAST) rely on external servers to detect security vulnerabilities in web applications. This form of security testing inspects the web application from the outside in, similar to how the attackers would probe its defenses. External domains are commonly used to facilitate out-of-band security testing. Attackers commonly abuse tools designed for security testing to monitor network traffic and find weaknesses that can be exploited. While the presence of domains related to OAST tools does not imply malicious intent, all of their uses in a software package should be documented and approved. Attackers might have purposely injected security testing tools in the software package to monitor the network traffic of the infected computer system. It is also possible that the software package has mistakenly included a part of its testing infrastructure during packaging.