How did the Python supply chain attack occur?
A Python supply chain attack made it possible for an attacker to steal cryptocurrency. What steps should be taken to prevent incidents like this?
A security researcher reported a supply chain attack that involved an official software repository for the Python programming language. How did this supply chain attack work?
There isn't a sysadmin or programmer around who hasn't cursed a software installer or its associated instructions that overlook something that results in a failed install.
The frustration of just wanting to get an installation done led to the introduction of more automated tools, making it easier and more reproducible to install software. It also led to Autoconf, the Perl Package Manager, apt, app stores and many other tools, including the Python programming language.
Moreover, each app store or installation system has its own security model that requires the enterprise using it to understand it, as well as to understand how that model might be different than what the company expects.
In the Python incident, the supply chain attack focuses on the PyPI repository in a quest to steal cryptocurrency. A security engineer wrote about the hack, saying he found a PyPI package, dubbed colourama, when performing security scans. The engineer found 11 malicious packages and reported them to the PyPI team. This attack works by typosquatting on a legitimate Python package named colorama, which is used to produce colored terminal text and cursor positioning on Microsoft Windows.
When the malicious code is downloaded, it triggers a script that monitors the Windows clipboard for signs of a bitcoin address. The supply chain attack takes advantage of vulnerabilities that exist in software module installers. This incident -- and others -- should remind enterprises and developers that all the components of third-party code that they use in their software should be thoroughly vetted before they're put into production.
Ask the expert:
Have a question about enterprise threats? Send it via email today. (All questions are anonymous.)