
Infiltrating Python’s Software Supply Chain - walterbell
https://medium.com/@chetan_conikee/evolving-threat-series-infiltrating-pythons-software-supply-chain-bbab7bcfdb55
======
daenz
From a more general security perspective, I've recently been thinking about
the attack vector of open source followers. If you are a malicious open source
project owner, your project's follower/star list is a goldmine for potential
attack targets. Likely the degree that someone likes/watches/follows your
project is highly correlated to their use of your project
personally/professionally. A bad actor could tailor their attacks based on
this information.

~~~
jdsully
I run KeyDB which is a medium sized OSS project. Stars and followers go up
after we're posted somewhere but it doesn't necessary correlate directly with
downloads. It's a best a leading indicator of what our downloads will do over
the next month.

I suppose its a better indicator than random, but I don't think it's very
useful. You're much better off looking at Stack Share or job postings where
this information is given away freely.

------
sytelus
There are an astonishingly small number of highly underpaid under-appreciated
people gatekeeping our daily software diet. Hundreds of components that builds
up free software pyramid, everything in and from Anaconda, Python binaries,
numpy, pandas, jupyter, OpenXYZ are basically at the whims of some Joe whoes
name you don't know, let alone the details of how they are funded or their
processes. A state sponcered actor with long term goals can push malicious PRs
to any one of these or become a maintainer and take over the global software
infrastructure. I'm not sure how long before this grand pyramid built on such
fragile security foundation crumbles up.

~~~
rusticpenn
Anaconda is managed by a private company ([https://www.anaconda.com/about-
us/](https://www.anaconda.com/about-us/)).

------
kapilvt
Nice write up.

The python software foundation is currently sponsoring work to bring
additional cryptographic verification to pypi
[https://github.com/python/request-
for/blob/master/2019-Q4-Py...](https://github.com/python/request-
for/blob/master/2019-Q4-PyPI/RFI.md)

Some additional links wrt to other tools, techniques, and exploits on pypi
security [https://python-
security.readthedocs.io/packages.html](https://python-
security.readthedocs.io/packages.html)

------
ptx
The typo-squatting aspect (and the the related recommendation to vendors)
seems somewhat beside the point. I think the problem is simply: how can you
tell that a package is trustworthy?

The article's scenario, where the victim relies on Stackoverflow answers to
judge trustworthiness, would play out the same way without typo-squatting -
for example, the Python 3 replacement for PIL is called Pillow. I'm pretty
sure Pillow is legitimate, but how do I determine this is general?

------
lostmsu
Today GitHub shows you which other open source projects use your packages, so
even if they did not like it explicitly you will know.

------
fastily
This really deserves more attention. As an oss contributor myself, I’ve
noticed that almost no one actually reviews your source code, often choosing
to blindly trust libraries simply because they’re available via the language’s
package manager.

