DEV Community

Cover image for Using the Trusty API to discover deprecated and malicious packages.
Luke Hinds for Stacklok

Posted on • Edited on

Using the Trusty API to discover deprecated and malicious packages.

Following on from my last post on using the Trusty API for source of origin provenance, this post will expand on the topic and introduce how you can get a view on packages state of maintenance and risk.

Deprecated Packages

Let's first consider a real world, case. As a developer you're tasked with building an OAuth2 framework for Python. Like most of us, you will likely start with a google search. Opening an incognito session , we see the second result references a package on pypi:

Image description

Looking at the PyPi page shows a green 'Latest Version' button:

Image description

All, looks good. The last release was a while ago, but it is possible for a project to have limited exposure to other dependencies and a good definition of done.

However, let's check out the Trusty API and in particular the archived field

curl -sS https://api.trustypkg.dev/v2/pkg\?package_name\=python-oauth2\&package_type\=pypi |jq '.archived'

true
Enter fullscreen mode Exit fullscreen mode

A quick visit to the GitHub repo confirms this is true:

Image description

Malicious Packages

Let's take a recent attack discovered by Trusty, where a popular Python package "requests" was typo-squatted with a package name "requestn".

curl -sS https://api.trustypkg.dev/v2/pkg\?package_name\=requestn\&package_type\=pypi |jq '.malicious'
{
  "summary": "Malicious code in requestn (PyPI)",
  "details": "This package is considered malicious because it extracts OS files of the localhost and sends the contents to an unknown Telegram channel.",
  "published": "2024-06-06T13:18:09Z",
  "modified": "2024-06-06T13:18:09Z",
  "source": "https://osv.dev/vulnerability/MAL-2024-1547"
}
Enter fullscreen mode Exit fullscreen mode

Visiting the referenced OSV link shows this is in fact a malicious package

Image description

As mentioned in my previous post, Trusty's API's are public and available for others to build upon. Have a good idea for a possible integration with our API? I would love to learn more, please let me know on X @decodebytes or via a comment on this post.

Top comments (0)