A Study of Malicious Code in PyPI Ecosystem

This page summarizes the projects mentioned and recommended in the original post on news.ycombinator.com

SaaSHub - Software Alternatives and Reviews
SaaSHub helps you find the best software and product alternatives
www.saashub.com
featured
  • notes

    Notes, Questions, Ideas (by void4)

    It's (partially) a fundamental problem with Python and most other programming languages. The majority of libraries don't need more authority than doing (some) computation, yet any Python script can access anything and everything by default.

    https://en.wikipedia.org/wiki/Capability-based_security is the solution for this, yet Python will probably never be capable of this kind of internal encapsulation, it's too much of a fundamental change - and even if some sort of sandboxing ability is accomplished, creating separate/recursive sandboxes (needed when importing more, separate libraries) will probably require another interpreter instance (as with WebAssembly).

    I hope current and future language designers will take this into account, and construct their compilers, virtual machines and interpreters accordingly. Python was created before the internet as we know it now existed, so perhaps its lack of security mechanisms shouldn't be surprising. But it and any new developments that fail to consider this aspect of computation will be fundamentally flawed from the beginning.

    https://github.com/void4/notes/issues/41

  • SaaSHub

    SaaSHub - Software Alternatives and Reviews. SaaSHub helps you find the best software and product alternatives

    SaaSHub logo
  • bubblewrap

    Low-level unprivileged sandboxing tool used by Flatpak and similar projects

    ```

    This is basically manually invoking what Flatpak does:

    https://github.com/containers/bubblewrap

    This is also useful for more than just security. E.G., you can test how your app would behave on a fresh install by masking your user configuration files. I personally also have a tool that uses it to basically bundle all dependencies from an entire Linux distribution in order to make highly portable AppImages— Been meaning to post that, will get around to it eventually maybe.

    The flags above should hide your user data (`--tmpfs`), disable network access (`--unshare-all`), hide/virtualize devices and OS state (`--dev` and `--proc`), and make the rest of the root filesystem read-only (`--ro-bind`­— Including the insecure X11 socket in `/tmp`, which you might want to expose for GUI apps).

    Check them against `bwrap --help`; I might have omitted one or two more things you'd need.

  • cli

    Command line interface for the Phylum API (by phylum-dev)

  • packj

    Packj stops :zap: Solarwinds-, ESLint-, and PyTorch-like attacks by flagging malicious/vulnerable open-source dependencies ("weak links") in your software supply-chain

    Cool project. How do you feel about projects like OpenSSF scorecards or even the checks that socket.dev do today on these packages to help determine risk?

    https://github.com/ossillate-inc/packj/blob/main/.packj.yaml

    Secondly, what about impersonation where attackers imitate a popular package and its respective metadata?

NOTE: The number of mentions on this list indicates mentions on common posts plus user suggested alternatives. Hence, a higher number means a more popular project.

Suggest a related project

Related posts

  • Rust Without Crates.io

    5 projects | news.ycombinator.com | 14 Nov 2023
  • Rust Malware Staged on Crates.io

    3 projects | news.ycombinator.com | 25 Aug 2023
  • How Attackers Can Sneakily Slip Malware Packages Into Poetry.lock Files

    2 projects | /r/Python | 2 May 2023
  • Attackers Repurposing existing Python-based Malware for Distribution on NPM

    2 projects | /r/javascript | 19 Apr 2023
  • Attackers are hiding malware in minified packages distributed to NPM

    4 projects | /r/javascript | 30 Mar 2023