The company says it will help OpenSSF to scale the Package Analysis Project, which brings the ability to scan open source packages. Google will allow results from analysis to be stored in its BigQuery fully managed serverless data warehouse. With this support, users will get an alert if malicious open source software is uploaded to a repository. Google points out that the method will also provide more information on security through the software supply chain. Google has analysed 200 malicious packages that were uploaded on PyPI and NPM. You can see the results here, but Google expands on the details in a blog post: “PyPI: discordcmd This Python package will attack the desktop client for Discord on Windows. It was found by spotting the unusual requests to raw.githubusercontent.com, Discord API, and ipinfo.io. NPM: @roku-web-core/ajax During install, this NPM package exfiltrates details of the machine it is running on and then opens a reverse shell, allowing the remote execution of commands.”
Ongoing Risk
Google suggests most malicious packages are from security researchers because of the lack of sophistication. In other words, researchers are investigating malicious packages instead of perpetuating them. Still, the company points out there must be improvements in methods for vetting packages that land on repositories. Google calls for an open standard for reporting and centralizing test results. Of course, that is exactly what the OpenSSF Package Analysis Project aims to deliver. Tip of the day: Do you sometimes face issues with Windows search where it doesn’t find files or return results? Check our tutorial to see how to fix Windows search via various methods.
