I-OpenSSF (Open Source Security Foundation), eyakhiwe yi-Linux Foundation futhi okuhloswe ngayo ukuthuthukisa ukuphepha kwesofthiwe yomthombo ovulekile, yethule iphrojekthi evulekile yokuhlaziya iPhakheji, ethuthukisa uhlelo lokuhlaziya ukuba khona kwekhodi enonya kumaphakheji. Ikhodi yephrojekthi ibhalwe ku-Go futhi isatshalaliswa ngaphansi kwelayisensi ye-Apache 2.0. Ukuskena kokuqala kwamakhosombe e-NPM kanye ne-PyPI kusetshenziswa amathuluzi ahlongozwayo kusivumele ukuba sihlonze amaphakheji anonya angaphezu kuka-200 ayengabonwa ngaphambili.
Inqwaba yamaphakheji ayinkinga akhonjiwe akhohlisa ukuphambana kwamagama anokuncika kwangaphakathi okungekona okomphakathi kumaphrojekthi (ukuhlasela kokudideka kokuncika) noma asebenzise izindlela zokuthayipha (ukunikeza amagama afana namagama emitapo yolwazi edumile), futhi ashayele imibhalo efinyelela kubasingathi bangaphandle ngesikhathi inqubo yokufaka. Ngokwabathuthukisi be-Package Analysis, iningi lamaphakheji ayinkinga akhonjiwe cishe adalwe abacwaningi bokuphepha ababamba iqhaza ezinhlelweni zenzuzo yeziphazamisi, njengoba idatha ethunyelwe ikhawulelwe kumsebenzisi negama lesistimu, futhi izenzo zenziwa ngokusobala, ngaphandle kwemizamo fihla ukuziphatha kwabo.
Amaphakheji anomsebenzi omubi ahlanganisa:
- Iphakheji le-PyPI elithi discordcmd, elirekhoda ukuthumela izicelo ezingavamile ku-raw.githubusercontent.com, i-Discord API kanye ne-ipinfo.io. Iphakheji eshiwo ilande ikhodi ye-backdoor ku-GitHub futhi yayifaka kunkomba yeklayenti ye-Discord Windows, ngemva kwalokho yaqala inqubo yokusesha amathokheni e-Discord ohlelweni lwefayela futhi iwathumela kuseva ye-Discord yangaphandle elawulwa abahlaseli.
- Iphakheji ye-colorss ye-NPM iphinde yazama ukuthumela amathokheni ukusuka ku-akhawunti ye-Discord kuya kuseva yangaphandle.
- Iphakheji ye-NPM @roku-web-core/ajax - phakathi nenqubo yokufaka ithumele idatha mayelana nesistimu futhi yethula isibambi (igobolondo elihlehlayo) elamukela ukuxhumana kwangaphandle kanye nemiyalo yethula.
- I-PyPI package secrevthree - yethule igobolondo elibuyela emuva lapho ingenisa imojula ethile.
- Iphakheji ye-NPM engahleliwe-i-vouchercode-generator - ngemva kokungenisa umtapo wolwazi, ithumele isicelo kuseva yangaphandle, ebuyise umyalo kanye nesikhathi okufanele isetshenziswe ngaso.
Umsebenzi Wokuhlaziya Iphakheji wehlela ekuhlaziyeni amaphakheji ekhodi kukhodi yomthombo ukuze kutholwe ukuxhumana kwenethiwekhi, ukufinyelela amafayela, nemiyalo esebenzayo. Ukwengeza, izinguquko esimweni samaphakheji ziyagadwa ukuze kunqunywe ukungezwa kokufakwayo okunonya kokukodwa kokukhishwa kwesofthiwe engenabungozi ekuqaleni. Ukuze kuqashwe ukubukeka kwamaphakheji amasha kumakhosombe nokwenza izinguquko kumaphakheji athunyelwe ngaphambilini, kusetshenziswa ikhithi yamathuluzi Okuphakelayo Kwephakheji, ehlanganisa umsebenzi namakhosombe we-NPM, PyPI, Go, RubyGems, Packagist, NuGet kanye ne-Crate.
Ukuhlaziywa Kwephakheji kuhlanganisa izingxenye ezintathu eziyisisekelo ezingasetshenziswa zombili ngokuhlangana nangokuhlukene:
- Isihleli sokuqalisa umsebenzi wokuhlaziya iphakheji ngokusekelwe kudatha evela kokuthi Okuphakelayo Kwephakheji.
- Umhlaziyi ohlola ngokuqondile iphakheji futhi ahlole ukuziphatha kwawo kusetshenziswa ukuhlaziya okumile nezindlela zokulandelela eziguquguqukayo. Ukuhlolwa kwenziwa endaweni engayodwa.
- Isilayishi esibeka imiphumela yokuhlolwa kusitoreji se-BigQuery.
Source: opennet.ru