Ma'ajiyar PyPI ta bayyana asirin kusan 5000 da suka rage a cikin lambar da kuma masu ɓarna 8.

Masu binciken GitGuardian sun buga sakamakon bincike na mahimman bayanai da masu haɓakawa suka manta a cikin lambar da aka shirya a cikin ma'ajiyar PyPI (Python Package Index) na fakitin Python. Bayan nazarin fiye da fayiloli miliyan 9.5 da fakiti miliyan 5 da ke da alaƙa da ayyuka dubu 450, an gano shari'o'in 56866 na leken asirin sirri. Idan muka yi la'akari da bayanai na musamman kawai, ba tare da kwafi a cikin fitowar daban-daban ba, adadin leaks ɗin da aka gano shine 3938, kuma adadin ayyukan tare da aƙalla ɗigo ɗaya shine 2922.

Gabaɗaya, sama da nau'ikan leak ɗin bayanan sirri sama da 150 an gano, gami da kalmomin sirri na yau da kullun, maɓallan sirri, alamun samun damar sabis na girgije, ci gaba da tsarin haɗin kai da APIs. Akalla takaddun shaidar 768 sun kasance masu aiki a lokacin binciken. Misalai na shahararrun leaks waɗanda suka kasance masu dacewa sun haɗa da maɓallin shiga don Azure Active Directory, takaddun shaida don SSH, MongoDB, MySQL da PostgreSQL, maɓallan GitHub OAuth App, Dropbox da Auth0, sigogin shiga na Coinbase da Twilio.

Daga cikin nau'ikan leken asirin da ke samun shahara akwai alamun samun damar shiga bots a cikin Telegram, adadin wanda ya ninka sau biyu a farkon 2021 sannan kuma ya ninka sau biyu a cikin bazara na 2023. Hakanan ana yin rikodin ƙara yawan leaks tun daga 2020 don maɓallan shiga Google API, kuma tun 2022 don takaddun shaida ga DBMS. Daga cikin fakitin da ke jagorantar yawan leaks, an ambaci fakitin chatllm da safire, inda aka manta da maɓallai 209 na OpenAI da maɓallan 320 na Google Cloud.

Daga cikin nau'ikan fayilolin da aka gano mafi yawan adadin leaks, ban da fayiloli tare da tsawo na ".py", akwai fayiloli tare da tsawo .json (610 leaks), .md (270), PKG-INFO (240) ), METADATA (210), txt (170), da kuma fayilolin README (209) da fayiloli daga kundin adireshi mai suna test (675). Yawancin leaks kuma saboda sa ido da kurakurai wajen saita keɓance fayiloli lokacin samar da fakiti. Misali, ana iya cire fayiloli tare da fayilolin sanyi na gida (.cookiecutterrc, .env, .pypirc, da sauransu) daga ma'ajiyar Git ta hanyar fayil ".gitignore", wanda ba a la'akari da lokacin ƙirƙirar kunshin. Musamman, an sami fayilolin 43 .pypirc a cikin ma'ajiyar bayanai masu ɗauke da takaddun shaida don samun damar PyPI. A cikin leaks guda 15, masu haɓakawa ba su yi niyyar fitar da fakitin da aka ƙirƙira don amfanin cikin gida a bainar jama'a ba, amma sun buga su akan PyPI bisa kuskure.

Bugu da ƙari, ana iya ambaton ƙarin abubuwa biyu masu alaƙa da PyPI:

  • A cikin ma'ajin PyPI, an gano fakitin ɓarna 8, waɗanda aka gabatar a matsayin abubuwan amfani don ɓoyewa, watau. rage lambar zuwa nau'in da ba za a iya karantawa ba, yana rikitarwa maido da algorithm. Fakitin da aka gano sun ƙunshi kirtani "pyobf" a cikin sunayensu (Pyobftoexe, Pyobfusfile, Pyobfexecute, Pyobfpremium, Pyobflight, Pyobfadvance, Pyobfuse da pyobfgood) kuma an zazzage su fiye da sau 2000.

    Lambar mugunta da aka haɗa a cikin fakitin ta kasance ta musamman ga dandamali Windows kuma an ba da izinin haɗi zuwa iko na waje uwar garken, gudanar da umarni na ba bisa ƙa'ida ba akan kwamfutar mai haɓaka, nemo da aika bayanai masu mahimmanci, kamar maɓallan shiga, zuwa sabar waje, da kuma canja wurin fayiloli na ba bisa ƙa'ida ba daga tsarin. Bugu da ƙari, lambar ɓarna za ta iya aiki azaman mai ɓoye maɓalli, kutse kalmomin shiga da aka shigar a cikin Chrome, ƙirƙirar hotunan kariyar kwamfuta, yin rikodin sauti, har ma da sarrafa kyamarar yanar gizo.

  • An buga sakamakon bincike mai zaman kansa na tushen lambar kayan aikin da aka yi amfani da su don tsara aikin ma'ajiyar pypi.org da tsarin kaboji da aka yi amfani da su a cikin kayan aikin kaɗe-kaɗe na kwantena. An gudanar da aikin tantancewar ne tare da tallafin wata kungiya mai zaman kanta ta OTF (Open Technology Fund). A yayin binciken, ba a gano wata matsala tare da babban haɗari ba, kuma an gane lambobin tushe a matsayin cika mahimman buƙatun don amintaccen codeing. A lokaci guda, an lura da rashin isasshen gwajin gwaji na codebase na cabotage kuma an gano matsalolin 29, wanda takwas aka sanya matsakaicin matsakaicin haɗari, 6 - ƙananan, kuma 14 an yiwa alama a matsayin sharhi.

    Matsalolin da aka fi sani:

    • Rashin isasshen tabbaci na sa hannun dijital da aka yi amfani da shi don haɗa PyPI tare da AWS SNS an ba da izinin aika sanarwar zuwa imel ɗin masu amfani.
    • Yabo bayanai a cikin mai sarrafa zazzagewa wanda ke ba ka damar tantance wanzuwar asusu ba tare da haifar da abubuwan da suka faru game da yunƙurin shiga ba.
    • Yin amfani da hashes mara inganci waɗanda ba sa keɓance harin guba na cache.
    • Idan kuna da damar ƙaddamar da tsarin gini ta hanyar cabotage, maharin na iya yuwuwar samun maye gurbin umarninsa.
    • Tare da haƙƙin turawa a cikin adadin, maharin zai iya yuwuwar ƙaddamar da ingantaccen hoto.

source: budenet.ru

Sayi amintaccen masauki don shafuka tare da kariyar DDoS, sabar VPS VDS 🔥 Sayi ingantaccen masaukin yanar gizo tare da kariyar DDoS, sabar VPS VDS | ProHoster