Hacker News new | comments | ask | show | jobs | submit login
Backdoored Python Library Caught Stealing SSH Credentials (bleepingcomputer.com)
24 points by BerislavLopac 8 months ago | hide | past | web | favorite | 1 comment

The insecurity of many of the popular package managers (pypi, npm, crates) and the wholesale reliance of so many software systems on these managers seems like a massive security risk. While I appreciate the simplicity of getting an up to date environment through these managers, I always have a tinge of fear in using them. Whether it is backdoors, information theft (like this article), or filesystem destruction, they all are simple to implement and simple to hide. I let so much arbitrary code run on my computer when I import a python module. Maybe the breach isn't in a popular top-level library, but some dumb little dependency. It's even more dangerous because most eyes aren't looking at that dependency, presumably.

I am tremendously naive to infosec and security in general, but I can predict that the big companies have measures in place to mitigate these risks. Containerization seems like it could help limit the scope of the damage, but the popular containers seem like they are more at risk (usually downloading the latest releases) to encounter these attacks.

What is the likelihood that some actors (state-sponsored or otherwise) could bring down some major systems? Not Google/Facebook/Visa/Netflix major, but widespread across many smaller platforms.

Blackhats and Whitehats out there must be collecting information on:

Which dependencies/libraries could be targeted

Which authors/publishers are vulnerable (regarding password safety, lib deployment mechanisms, ...)

Which systems/libs to compromise to affect classes of targets

I feel like this is a likely cyber attack vector over the next 10 years. How haven't there been more of these that are successful? Is someone building the intelligence in preparation for attacking? Are these systems actually secure (if you successfully avoid maliceful users)?

Guidelines | FAQ | Support | API | Security | Lists | Bookmarklet | Legal | Apply to YC | Contact