Handle `Forever Vulnerable` Packages

[keshav-space]

There are many packages out there that are inherently malicious and often employs technique like dependence confusion to trick users/developers into installing the malicious variant of legitimate packages.

For instance, Snyk discovered that PyPI package testpipper was malicious and was subsequently taken down by Python Software Foundation. The package attempts to steal Google Chrome data and injects a persistent malicious agent into the discord process. see Snyk blog for more 📂 Zip file of the malicious package testpipper-0.0.1.zip

We need to identify such packages and label them as Forever Vulnerable

A possible solution could be to have a separate repository (say EvilHunter)

• that will contain lists of known malicious packages across the different ecosystems
• along with the publisher/developer of those malicious packages
• automated static analysis of package metadata to flag potentially malicious package
• folks in security can submit a New Malicious Package Detection request along with the POCs or IOCs
• those covering or dealing with security can also submit an Existing Malicious Package Identification request along with relevant and credible citation/s.

VulnerableCode can then run a special improver ( MalicousPackageDetectionImprover ) and tag them as Forever Vulnerable

See also:

• https://github.com/nexB/vulnerablecode/issues/1408
• https://github.com/nexB/vulnerablecode/issues/1521
• https://github.com/nexB/vulnerablecode/issues/1409
• https://github.com/nexB/vulnerablecode/issues/1406
• https://github.com/nexB/vulnerablecode/issues/939
• https://github.com/nexB/vulnerablecode/issues/761
• https://github.com/nexB/vulnerablecode/issues/989

[armijnhemel]

Also see #761 although that is primarily about binaries, not source code.

[armijnhemel]

Also see:

https://blog.phylum.io/phylum-discovers-dozens-more-pypi-packages-attempting-to-deliver-w4sp-stealer-in-ongoing-supply-chain-attack