Ever npm/pip installed malware? A modest call for action

John Speed Meyers — Thu, 04 Feb 2021 18:34:21 +0000

The npm and Python Package Index registries that help make Javascript and Python popular, productive, and fun programming languages have over recent years been the victims of malicious attacks. The Python Package Index (PyPI), for instance, has suffered dozens of attacks, including typosquatting attacks in which an attacker mimics the name of a popular package to trick developers into downloading malware.

To reduce the number and impact of these attacks on the Javascript and Python ecosystems, concerned developers can take a number of actions. (For a longer list, see this blog post.)

Consider contributing your talents to projects that seek to improve the security of these registries. One project worth your attention is Aura, a Python source code auditing and static analysis tool. For those who want to explore Python malware detection challenges identified as important by the Python Software Foundation, see here. Consider contributing malware checks to the Python Package Index codebase, aka Warehouse.
For those interested in directly identifying malicious packages, you'll need to build registry scanners and then analyze the results, reporting any malware you find. One past effort is pypi-scan, but I'm looking forward to future, more capable scanners in the future!
Join the working group meetings of the Open Source Security Foundation, or OpenSSF. This is a community dedicated to upholding the security of open source software.

Whatever you do, remember that these ecosystems depend on security for their continued health. So consider doing your part!

DEV Community: John Speed Meyers

Ever npm/pip installed malware? A modest call for action