Software Vulnerabilities Introduced by Dependencies

Dated Nov 14, 2020; last modified on Thu, 02 Sep 2021

Identifying Vulnerabilities

No matter the obfuscation in the source code, the malicious package will have to make system calls in order to do anything interesting. These system calls are easier to analyze.

Suggestions

Know your dependencies by heart. Know the maintainers. Be aware of problems going on in the project and help, e.g. patches, funding sources, etc.

References

  1. Hunting for Malicious Packages on PyPI. Jordan Wright. https://jordan-wright.com/blog/post/2020-11-12-hunting-for-malicious-packages-on-pypi/ . Nov 12, 2020.
  2. Dependencies and Maintainers. Drew DeVault. https://drewdevault.com/2020/02/06/Dependencies-and-maintainers.html . Feb 6, 2020.