Vatsvagiri veGitGuardian vakaburitsa mhedzisiro yekuongororwa kwedata rakavanzika rakakanganwa nevagadziri mune kodhi inobatwa muPyPI (Python Package Index) repository yePython mapakeji. Mushure mekudzidza anopfuura mamirioni 9.5 mafaera uye 5 miriyoni pasuru kuburitswa kwakabatana nemapurojekiti zviuru mazana mana nemakumi mashanu, mazana mashanu nemakumi mashanu nenhanhatu, makumi mashanu nenhanhatu, makumi mashanu nenhanhatu (450) ekuburitswa kwedata zvakavanzika. Kana isu tikafunga chete yakasarudzika data, pasina kudzokororwa mukuburitswa kwakasiyana, huwandu hweakaburitswa akaonekwa aive 56866, uye huwandu hwemapurojekiti ane kamwechete kuvuza yaive 3938.
Pakazara, anopfuura zana nemakumi mashanu emhando dzekuburitswa kweruzivo rwakavanzika akaonekwa, kusanganisira mapassword akajairwa, makiyi e-cryptographic, tokeni dzekuwana dzemasevhisi emakore, masisitimu ekubatanidza anoenderera uye maAPI. Kanenge 150 zvitupa zvakaramba zvinoshanda panguva yechidzidzo. Mienzaniso yekuvuza kwakakurumbira inoramba ichikosha inosanganisira makiyi ekuwana eAzure Active Directory, zvitupa zveSSH, MongoDB, MySQL uye PostgreSQL, makiyi eGitHub OAuth App, Dropbox uye Auth768, maparamita eCoinbase uye Twilio.
Pakati pemhando dzekuvuza dziri kuita mukurumbira zviratidzo zvekuwana bots muTeregiramu, iyo nhamba yakapetwa kaviri mukutanga kwa2021 uye yakapetwa kaviri zvakare muchirimo cha2023. Kuwedzera kunogara kuchidonha kwakarekodhwa kubva 2020 kuti uwane makiyi eGoogle API, uye kubva 2022 yezvitupa kuDBMS. Pakati pemapakeji anotungamira muhuwandu hwekuvuza, iyo chatllm uye safire mapakeji anotaurwa, umo 209 makiyi eOpenAI uye 320 makiyi eGoogle Cloud akakanganwika.
Pakati pemhando dzemafaira umo nhamba huru yekudonha yakaonekwa, kunze kwemafaira ane ".py" extension, pane mafaira ane extension .json (610 leaks), .md (270), PKG-INFO (240). ), METADATA (210), .txt (170), pamwe ne README mafaera (209) uye mafaera kubva kumadhairekitori ane mazita ebvunzo (675). Kuvuza kwakawanda kunokonzerwawo nekutarisisa uye zvikanganiso mukugadzirisa kusabatanidzwa kwemafaira paunenge uchigadzira mapakeji. Semuenzaniso, mafaira ane mafaira ekugadzirisa emunharaunda (.cookiecutterrc, .env, .pypirc, nezvimwewo) anogona kubviswa kubva kuGit repository kuburikidza ne ".gitignore" faira, iyo isingafungidziri pakugadzira purogiramu. Kunyanya, 43 .pypirc mafaira akawanikwa mune repository ine zvinyorwa zvekuwana PyPI. Mukuvuza gumi neshanu, vanogadzira havana kuda kuburitsa pachena mapakeji akagadzirirwa kushandiswa mukati, asi akaaburitsa paPyPI nekukanganisa.
Pamusoro pezvo, zvimwe zviitiko zviviri zvine chekuita nePyPI zvinogona kutaurwa:
- Mune iyo PyPI repository, 8 mapakeji ane hutsinye akaonekwa, akaunzwa sezvishandiso zveobfuscation, i.e. kuderedza kodhi kune fomu isingaverengeki, kuomesa kudzoreredzwa kwegorgorithm. Mapakeji akaonekwa aive netambo "pyobf" mumazita avo (Pyobftoexe, Pyobfusfile, Pyobfexecute, Pyobfpremium, Pyobflight, Pyobfadvance, Pyobfuse uye pyobfgood) uye akadhawunirodha kanopfuura ka2000.
Kodhi yakaipa yakabatanidzwa mumapakeji yaive yakanangana nepuratifomu yeWindows uye yaibvumira kubatana kune control yekunze sevha, shandisa mirairo isina kurongeka pakombuta yemugadziri, tsvaga nekutumira ruzivo rwakakosha, senge makiyi ekupinda, kune sevha yekunze, uye tumira mafaira asina kurongeka kubva kusystem. Uyezve, kodhi ine njodzi inogona kushanda sekiyi yekuvhara, kuvharira mapassword akapinda muChrome, kugadzira mapikicha, kurekodha odhiyo, uye kutodzora webcam.
- Mhedzisiro yekuongororwa yakazvimirira kweiyo kodhi base yezvishandiso zvinoshandiswa kuronga basa repypi.org repository uye cabotage framework inoshandiswa mumidziyo orchestration infrastructure yakaburitswa. Ongororo iyi yakaitwa nerutsigiro rwesangano risina purofiti reOTF (Open Technology Fund). Munguva yekuongorora, hapana matambudziko ane ngozi yakakwira akaonekwa, uye macode ekwakabva akaonekwa sekusangana nezvinodiwa zvekuchengetedza coding. Panguva imwecheteyo, kusakwana kwekuongororwa kwekuvhara kwekabhotage codebase kwakacherechedzwa uye matambudziko makumi maviri nemapfumbamwe akaonekwa, ayo masere akapihwa mwero wengozi wepakati, 29 - pasi, uye gumi nemana akaiswa semashoko anodzidzisa.
Matambudziko anonyanya kuzivikanwa:
- Kusakwana kwechokwadi kwemasiginecha edhijitari anoshandiswa kubatanidza PyPI neAWS SNS yakabvumira kuti zviziviso zvitumirwe kumaemail evashandisi vega.
- Ruzivo runovuza mune yekudhawunirodha inobata iyo inokutendera iwe kuti uone kuvepo kweakaundi pasina kugadzira zviitiko nezve kuyedza kupinda.
- Iko kushandiswa kweasingavimbike cryptographic hashes iyo isingabatanidze cache chepfu kurwisa.
- Kana iwe uine kodzero yekutangisa maitiro ekuvaka kuburikidza necabotage, anorwisa anogona kukwanisa kutsiva mirairo yake.
- Nekodzero dzekutumira mu cabotage, munhu anorwisa anogona kuendesa mufananidzo unotaridzika zviri pamutemo.
Source: opennet.ru
