Open Source Repositories

• Open Source Software
• National Open Source Software Repository

Chronicle

2023

20,000 dangerous packages found in popular open source repositories

The world's most popular open source software repositories have more than 20,000 dangerous packages. This was reported to Kaspersky Lab on October 16, 2023.

According to the antivirus company, the specialized database of Kaspersky Open Source Software Threats Data Feed contains information about 42 thousand vulnerabilities in more than 10 thousand packages, as well as 11 thousand malicious or potentially dangerous packages.

In the most popular repositories of open source software there are more than 20 thousand dangerous packages

Of all the vulnerabilities discovered, the largest share (29%) fell on those that could lead to bypassing security system restrictions. In second place with 22% are vulnerabilities that could potentially cause a denial of service. Next are vulnerabilities that allow arbitrary code to be executed on devices.

This is followed by vulnerabilities such as user interface substitution (7%), privilege elevation (6%), theft of confidential information (6%), and malware (6%). The remaining 12% distributed smaller groups of problems among themselves.

Of all the vulnerabilities discovered, Kaspersky Lab specialists classified 43% as threats with a high level of danger, another 11% as threats with a critical level of danger. For comparison: the analytical cut in December 2022 showed 35% of threats with a high level of danger and about 10% with a critical one. That is, for 10 months of 2023, the share of vulnerabilities with high levels of danger increased by 8%.

According to experts, most of the discovered vulnerabilities can lead to bypassing security systems, denial of service, or even arbitrary code execution on users' devices. To check open source software for vulnerabilities and malicious bookmarks, Kaspersky Lab recommended that Russian companies use special tools offered by domestic and foreign information security vendors.^[1]

Global open repository of enterprise Linux solutions launched

On August 10, 2023, CIQ Oracle Suse announced the formation of the Open Enterprise Linux Association (OpenELA), the main task of which is to create a public repository of corporate Linux solutions. More. here

2022: Open source repositories flooded with tens of thousands of malicious packages

On December 14, 2022, Checkmarx and Illustria released the results of a joint study that suggests that open source software (software) repositories are flooded with malicious packages.

Experts in the field cyber security have found more than 144 thousand potentially dangerous packages in NuGet, NPM and PyPi. It is said that their descriptions contain links to phishing pages that can be used by cybercriminals to organize various fraudulent schemes, including for the purpose of stealing money or obtaining registration data (logins and passwords).

Phishing package distribution campaign spotted by analysts from Checkmarx and Illustria

Further investigation showed that automation tools were apparently used to publish malicious modules. The fact is that packages were downloaded from accounts using a template scheme for designating the form <a-z><1900-2022>"." Moreover, many of these "users" have published an identical number of packages. Attackers distributed malicious modules under the names associated with hacking, cheats, as well as certain free resources. For example, some packages were called "free-steam-codes-generator," "yalla-ludo-diamond-hack," "a3-still-alive-hack-diamonds" and "project-makeover-hack-gems." Thus, the attackers lured the victims to eventually force them to visit a phishing site.

A total of 144,294 malicious packages were found. Of these, 136,258 are located on the NuGet platform, 212 on the NPM and 7824 on the PyPi. The phishing campaign is associated with more than 65,000 unique email resource addresses (URLs) in 90 domains. The web pages posted by cybercriminals are very carefully worked out and in some cases even include fake interactive chats, the conduct of dialogues in which is automated.^[2]

Notes