
Backdoored Python Library Caught Stealing SSH Credentials - BerislavLopac
https://www.bleepingcomputer.com/news/security/backdoored-python-library-caught-stealing-ssh-credentials/
======
llccbb
The insecurity of many of the popular package managers (pypi, npm, crates) and
the wholesale reliance of so many software systems on these managers seems
like a massive security risk. While I appreciate the simplicity of getting an
up to date environment through these managers, I always have a tinge of fear
in using them. Whether it is backdoors, information theft (like this article),
or filesystem destruction, they all are simple to implement and simple to
hide. I let so much arbitrary code run on my computer when I import a python
module. Maybe the breach isn't in a popular top-level library, but some dumb
little dependency. It's even more dangerous because most eyes aren't looking
at that dependency, presumably.

I am tremendously naive to infosec and security in general, but I can predict
that the big companies have measures in place to mitigate these risks.
Containerization seems like it could help limit the scope of the damage, but
the popular containers seem like they are more at risk (usually downloading
the latest releases) to encounter these attacks.

What is the likelihood that some actors (state-sponsored or otherwise) could
bring down some major systems? Not Google/Facebook/Visa/Netflix major, but
widespread across many smaller platforms.

Blackhats and Whitehats out there must be collecting information on:

Which dependencies/libraries could be targeted

Which authors/publishers are vulnerable (regarding password safety, lib
deployment mechanisms, ...)

Which systems/libs to compromise to affect classes of targets

I feel like this is a likely cyber attack vector over the next 10 years. How
haven't there been more of these that are successful? Is someone building the
intelligence in preparation for attacking? Are these systems actually secure
(if you successfully avoid maliceful users)?

