1. The blast radius appears to be very minimal, the affected github package has 0 stars, 2 contributers, 1 watcher and 4 issues total.
2. The issue was caught and resolved quickly (within a day?).
3. I haven't seen any explanation by the developer on whether there account was compromised?
The vulnerability is not in FastAPI itself, but in a relatively unknown utility package that you probably aren't using.
Still good to raise awareness but a slight bit of scaremongering
> While FastAPI itself is not impacted, this is an interesting occurrence of an attacker attempting to deploy a FastAPI-specific backdoor.
Appreciate your feedback!
I know they are public via GH, but it feels weird to redact every piece of PII including avatar, then leaving a name and email in there.
It's not scaremongering as much as it is a (thinly veiled) ad for Datadog's own tech:
> using our latest open source tool, GuardDog, which uses heuristics to identify malicious or compromised PyPI packages.
> We recently released GuardDog, a free and open-source tool to identify malicious PyPI packages
> Datadog ASM Vulnerability Monitoring, announced earlier this year at Dash, allows you to identify vulnerable and malicious packages
> Datadog Cloud Workload Security has a number of out-of-the-box rules to detect post exploitation scenarios
Could not find any public use of the package but there's a few interesting things about this repo:
- The author used to work at wargaming.net at the time the repo was created (publisher of world of tanks)
- There are two contributors: the author and one of his ex-colleague from wargaming.net.
- There are a bunch of maintenance commits over the years suggesting actual use and not just a random weekend project.
A bit far-fetched but whoever introduced this backdoor could be attempting a targeted attack against wargaming.net as there's a good chance it's used in there.
Note: it looks like the author of the package removed the malicious commit.
But of course they have to hype it up with "50k stars", "used by Microsoft, Uber, and Netflix" blah blah, otherwise it's a complete non-story.
Will adapt the wording to make it clearer. Thanks for the feedback!
If you want to discuss the potential damage an attacker can do with a GitHub account, why not hype it up even more unrealistically and talk about how they could have attacked any public repo on GitHub that accepts PRs. The article should either be limited to what actually happened or you should follow the thought through to its logical conclusion. Why do you stop when you've sufficiently scared people enough to start talking about datadog tooling?
They don't say why they think it was an account compromise, rather than a malicious maintainer.
For what it's worth, the project referred to in the post is free, open-source, and unrelated to the commercial offering.
Do you have any evidence, one way or the other?
Let's not chop logic. I don't think you've been completely frank about this. The commit was signed by the maintainer, right, using a private key? That means the maintainer "done it", absent evidence to the contrary. And apparently the maintainer is silent.
> whose maintainer's account was likely compromised by a malicious actor
Seems to still be speculating about the cause without diving deeper into the topic, or is there some cache invalidation of the article that is missing perhaps?
How is that different than "speculation"? That sounds like textbook definition of "speculation".
"Speculation - the activity of guessing possible answers to a question without having enough information to be certain"
This is definitely pretty strange. Account takeovers happen, but just reverting the commit and closing the issue after one gets discovered is not the best way to handle these.
This is the reality of our modern software development process though. Your threat model now must include the GitHub account of every maintainer of every open source project you use.
We scan all the open source packages as they’re published, and got a hit for this pretty much right away. The volume of packages that get published that are malware is astonishing…
Kind of unfortunate that these guys just closed the issue, if they aren’t malicious actors. I suspect that this is a fake account, and not an account compromise, though.
The issue in general of backdoored packages is not new, but that it happened to you can be a new issue if you haven't either thought of it before or not simply encountered before. It would be very helpful if there was a resource out there answering the question "So your package was backdoored, what do you do now?" that people could refer to and get help.
It could have also been a researcher checking to see if anyone would notice, or something worse.
But GitHub is afaik the only site on the Internet that actually does account management correctly, so it least there is that.