Attackers are taking an interest in open-source software. One of the infection methods they use is the delivery of malicious software through third-party dependencies. To protect against such threats, it is necessary to ensure that external dependencies are regularly checked for malicious code.

Product overview

PT PyAnalysis is a service used for detecting suspicious and malicious Python packages which can be integrated into the secure software development process. PT PyAnalysis examines packages from the global PyPI repository. As independent auditors of this repository, we have found more than 200 malicious packages in it in the course of nine months' research. From the user's point of view, the service is an API that allows you to check a package by name and get a verdict on its functions: clean, suspicious, or malicious.

Why it is important to check packages with PyPI

Anyone can create a repository with an unused name on pypi.org. The resource has its own verification system, but the detection rules are embedded in the project source code, and attackers can easily bypass them. The system itself does not block packages: the service administrators receive alerts by email and check verdicts to decide whether to block a package.

Attack vectors

  • Creating an account and adding packages to the repository that will mimic an existing package. In 2022, we found many of these packages. They included selfbotts, selfbotters, requist, rquests, equests, colorafull, and colorapy packages that mimicked the selfbots, requests, and colorful packages.
  • Adding malicious packages via a created account; these packages hint at solving certain problems with their names. In particular, we caught requests-json, requestscaches, and flask-utils-helper packages.
  • Gaining unauthorized access to a legitimate developer's account and releasing "new" versions of this developer's packages. In May 2022, the developer of the ctx module was hacked, and an AWS token stealer was added to the next version of the module package. In August, at least 10 popular packages were compromised through mass phishing.

When using Python packages, there is also a risk of a developer computer being compromised. Anyone can make a typo when installing a package. At best, a warning will be displayed saying that the package does not exist, or another package will be installed. At worst, the developer computer will be infected with malware.

How it works

  1. A client generates a request to the system. A request can be generated in an automated system, for example as part of a CI/CD process, or sent manually for one-time verification. It is possible to send the package name and version or a link to the project in GitHub.
  2. The system accepts the request and checks the package.
  3. Based on the collected information, the system generates a verdict on whether the package is safe or not.
How it works

Video

(Un)secure development: how to protect against malicious Python packages

Key features

PT PyAnalysis detects malicious code functions aimed at:

  • Complicating the analysis
  • Encrypting files
  • Stealing data
  • Running unsecure commands
  • Using unusual protocols
  • Performing system reconnaissance

Questions?

Join our PT PyAnalysis channel in Telegram. Our experts, partners, and customers will answer your questions, share useful links, and keep you updated on news about the service.

Join Telegram channel