jro-grafik - Fotolia

Q
Problem solve Get help with specific problems with your technologies, process and projects.

How did the Python supply chain attack occur?

A Python supply chain attack made it possible for an attacker to steal cryptocurrency. What steps should be taken to prevent incidents like this?

A security researcher reported a supply chain attack that involved an official software repository for the Python programming language. How did this supply chain attack work?

There isn't a sysadmin or programmer around who hasn't cursed a software installer or its associated instructions that overlook something that results in a failed install.

The frustration of just wanting to get an installation done led to the introduction of more automated tools, making it easier and more reproducible to install software. It also led to Autoconf, the Perl Package Manager, apt, app stores and many other tools, including the Python programming language.

Moreover, each app store or installation system has its own security model that requires the enterprise using it to understand it, as well as to understand how that model might be different than what the company expects.

In the Python incident, the supply chain attack focuses on the PyPI repository in a quest to steal cryptocurrency. A security engineer wrote about the hack, saying he found a PyPI package, dubbed colourama, when performing security scans. The engineer found 11 malicious packages and reported them to the PyPI team. This attack works by typosquatting on a legitimate Python package named colorama, which is used to produce colored terminal text and cursor positioning on Microsoft Windows.

When the malicious code is downloaded, it triggers a script that monitors the Windows clipboard for signs of a bitcoin address. The supply chain attack takes advantage of vulnerabilities that exist in software module installers. This incident -- and others -- should remind enterprises and developers that all the components of third-party code that they use in their software should be thoroughly vetted before they're put into production.

Ask the expert:
Have a question about enterprise threats? Send it via email today. (All questions are anonymous.)

This was last published in February 2019

Dig Deeper on Hacker tools and techniques: Underground hacking sites

Have a question for an expert?

Please add a title for your question

Get answers from a TechTarget expert on whatever's puzzling you.

You will be able to add details on the next page.

Join the conversation

1 comment

Send me notifications when other members comment.

Please create a username to comment.

How do you protect your network against supply chain threats?
Cancel

-ADS BY GOOGLE

SearchCloudSecurity

SearchNetworking

SearchCIO

SearchEnterpriseDesktop

SearchCloudComputing

ComputerWeekly.com

Close