Iyo OpenSSF (Open Source Security Foundation), yakaumbwa neLinux Foundation uye yakanangana nekuvandudza kuchengetedzeka kweyakavhurika sosi software, yakaunza yakavhurika chirongwa chePackage Analysis, chinogadzira hurongwa hwekuongorora kuvepo kwekodhi yakaipa mumapakeji. Iyo kodhi yeprojekiti yakanyorwa muGo uye yakagoverwa pasi peiyo Apache 2.0 rezinesi. Yekutanga scan yeNPM nePyPI repositori tichishandisa maturusi akarongwa akatibvumira kuziva zvinopfuura mazana maviri epakeji yakaipa isati yaonekwa.
Huzhinji hwepakeji dzinonetsa dzakaonekwa dzinoshandisa kupindirana kwemazita ane zvemukati zvisiri zveruzhinji zvinotsamira pamapurojekiti (dependency confusion attack) kana kushandisa typosquatting nzira (kupa mazita akafanana nemazita emaraibhurari anozivikanwa), uye zvakare kufonera zvinyorwa zvinowana ekunze mauto panguva. nzira yekuisa. Sekureva kwevagadziri vePackage Analysis, mazhinji emapakeji ane dambudziko angangove akagadzirwa nevanochengetedza vanotora chikamu muzvirongwa zvebug bounty, sezvo data rakatumirwa rinongogumira kumushandisi uye zita rehurongwa, uye zviito zvinoitwa zvakajeka, pasina kuyedza kuita. vanza maitiro avo .
Mapakeji ane zviitiko zvakashata anosanganisira:
- PyPI package discordcmd, iyo inorekodha kutumira zvikumbiro zveatypical ku raw.githubusercontent.com, Discord API uye ipinfo.io. Iyo pasuru yakatsanangurwa yakadhawunirodha kodhi yekumashure kubva kuGitHub ndokuiisa muDiscord Windows mutengi dhairekitori, mushure mezvo yakatanga maitiro ekutsvaga maDiscord tokens mufaira system uye nekuvatumira kune yekunze Discord server inodzorwa nevapambi.
- Iyo colorss NPM package yakaedzawo kutumira tokeni kubva kuDiscord account kune yekunze server.
- NPM package @roku-web-core/ajax - panguva yekuisa iyo yakatumira data nezve sisitimu uye yakatanga chibatiso (reverse shell) yaigamuchira ekunze kubatana uye yakatanga mirairo.
- PyPI package secrevthree - yakatanga reverse shell kana uchipinza imwe module.
- NPM package isina kurongeka-vouchercode-jenareta - mushure mekutumira raibhurari, yakatumira chikumbiro kune yekunze server, iyo yakadzosa murairo uye nguva yainofanira kuitwa.
Basa rePackage Analysis rinouya pasi pakuongorora kodhi mapakeji mune kodhi kodhi yekumisikidza network yekubatanidza, kuwana mafaera, uye inomhanya mirairo. Pamusoro pezvo, shanduko yemamiriro emapakeji inotariswa kuti ione kuwedzera kwakashata kwekuisa mune imwe yekuburitswa kwekutanga kusakuvadza software. Kutarisa kutaridzika kwemapakeji matsva mumatura uye kuita shanduko kumapakeji akambotumirwa, iyo Package Feeds toolkit inoshandiswa, iyo inobatanidza basa neNPM, PyPI, Go, RubyGems, Packagist, NuGet uye Crate repositori.
Package Analysis inosanganisira zvinhu zvitatu zvakakosha zvinogona kushandiswa zvese zvakabatana uye zvakasiyana:
- Scheduler yekutanga basa rekuongorora pasuru zvichienderana nedata kubva kuPackage Feeds.
- Analyzer inoongorora zvakananga pasuru uye inoongorora maitiro ayo ichishandisa static ongororo uye ane simba ekutsvaga maitiro. Muedzo unoitwa munzvimbo iri yoga.
- Chitakuriso chinoisa mhinduro muBigQuery kuchengetedza.
Source: opennet.ru