jro-grafik - Fotolia
A security researcher reported a supply chain attack that involved an official software repository for the Python programming language. How did this supply chain attack work?
There isn't a sysadmin or programmer around who hasn't cursed a software installer or its associated instructions that overlook something that results in a failed install.
The frustration of just wanting to get an installation done led to the introduction of more automated tools, making it easier and more reproducible to install software. It also led to Autoconf, the Perl Package Manager, apt, app stores and many other tools, including the Python programming language.
Moreover, each app store or installation system has its own security model that requires the enterprise using it to understand it, as well as to understand how that model might be different than what the company expects.
In the Python incident, the supply chain attack focuses on the PyPI repository in a quest to steal cryptocurrency. A security engineer wrote about the hack, saying he found a PyPI package, dubbed colourama, when performing security scans. The engineer found 11 malicious packages and reported them to the PyPI team. This attack works by typosquatting on a legitimate Python package named colorama, which is used to produce colored terminal text and cursor positioning on Microsoft Windows.
When the malicious code is downloaded, it triggers a script that monitors the Windows clipboard for signs of a bitcoin address. The supply chain attack takes advantage of vulnerabilities that exist in software module installers. This incident -- and others -- should remind enterprises and developers that all the components of third-party code that they use in their software should be thoroughly vetted before they're put into production.
Ask the expert:
Have a question about enterprise threats? Send it via email today. (All questions are anonymous.)
Dig Deeper on Hacker tools and techniques: Underground hacking sites
Related Q&A from Nick Lewis
An iPhone phishing scam leads users to believe malicious incoming calls are from Apple Support. How can enterprises protect their employee against ... Continue Reading
Is GitHub's new private repositories service robust enough to serve the needs of enterprises? Nick Lewis examines what works -- and what doesn't. Continue Reading
The Vidar malvertising attack was part of a two-pronged intrusion that included the installation of ransomware in endpoints. How can enterprises ... Continue Reading
Have a question for an expert?
Please add a title for your question
Get answers from a TechTarget expert on whatever's puzzling you.