[MART] - Daily Diary #517 - Be careful with your dependencies - Repository Typosquatting

CTAS-MAT ctas-mat at appgate.com
Tue May 24 21:01:16 UTC 2022


Hello,

I hope everyone is doing well!

Below is the entry for today.

05/24/2022 - Diary entry #517:

Today we are going to talk about Repository Typosquatting, a technique used to infect systems based on typos on package managers. Most languages contain public third-party repositories that can be installed as libraries on projects through package managers. This is a facility that makes developers' life easier, quickly downloading and implementing external libraries as part of their code. But this facility can become a nightmare, as not so rarely malicious packages are uploaded to those repositories.

On Python, most of Repository Typosquatting occurs on PyPi - the Python Package Index - being the official third-party repository for Python libraries. By using pip (the default package management in Python), a developer just needs to type "pip install <package_name>" to download and install the library and its dependencies. If a typo is made, chances are you will match a rogue package with a similar name. The lack of moderation in PyPi and other package repositories makes it susceptible to Typosquatting. Threat actors just need to upload a malware with a similar name and wait for someone to install it by accident.

This week, a Repository Typosquatting was found targeting the PyKafka repository, a popular Apache Kafka client. The attackers registered the malicious package as "pymafka". As the character "m" is close in QWERTY keyboards to the character "k", more than 300 users downloaded the malicious package by accident. After installing the malicious library, the malicious code deployed Cobalt Strike beacon on the systems, allowing attackers to move laterally and exploit other systems in the network. Although the malicious package was already removed, devices that had the library installed may still be a threat.

Python is not the only platform vulnerable to Typosquatting attacks. Numerous incidents involving the JavaScript repository manager NPM, for instance, were disclosed over the last years. It's important to always double-check the installed dependencies, regardless of the platform, and it's a good practice to only install those through requirement files. Dependencies and third-party libraries should never be blindly trusted, developers should validate what they are installing and, preferably, use fixed versions in their projects, as not rarely trusted libraries are infected and can deliver malicious code through updates.

Kind Regards,

[https://d3aafpijpsak2t.cloudfront.net/images/Signature/logo@2x.png]<https://www.appgate.com/>

[https://d3aafpijpsak2t.cloudfront.net/images/Signature/likedin@2x.png]<https://www.linkedin.com/company/appgate-security/>     [https://d3aafpijpsak2t.cloudfront.net/images/Signature/twitter@2x.png] <https://twitter.com/AppgateSecurity>   [https://d3aafpijpsak2t.cloudfront.net/images/Signature/youtube@2x.png] <https://www.youtube.com/channel/UC-8GvxcZbm-R3EJNl8jYjiQ>



Felipe Duarte Domingues

Manager, MART
Appgate

E: felipe.duarte at appgate.com<mailto:felipe.tarijon at appgate.com>


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.immunityinc.com/pipermail/mart/attachments/20220524/b6c8be47/attachment.htm>


More information about the MART mailing list