A free and open vulnerabilities database and the packages they impact. And the tools to aggregate and correlate these vulnerabilities. Sponsored by NLnet https://nlnet.nl/project/vulnerabilitydatabase/ for https://www.aboutcode.org/ Chat at https://gitter.im/aboutcode-org/vulnerablecode Docs at https://vulnerablecode.readthedocs.org/
There are many packages out there that are inherently malicious and often employs technique like dependence confusion to trick users/developers into installing the malicious variant of legitimate packages.
For instance, Snyk discovered that PyPI package testpipper was malicious and was subsequently taken down by Python Software Foundation. The package attempts to steal Google Chrome data and injects a persistent malicious agent into the discord process. see Snyk blog for more
📂 Zip file of the malicious package testpipper-0.0.1.zip
We need to identify such packages and label them as Forever Vulnerable
A possible solution could be to have a separate repository (say EvilHunter)
that will contain lists of known malicious packages across the different ecosystems
along with the publisher/developer of those malicious packages
automated static analysis of package metadata to flag potentially malicious package
folks in security can submit a New Malicious Package Detection request along with the POCs or IOCs
those covering or dealing with security can also submit an Existing Malicious Package Identification request along with relevant and credible citation/s.
VulnerableCode can then run a special improver ( MalicousPackageDetectionImprover ) and tag them as Forever Vulnerable
There are many packages out there that are inherently malicious and often employs technique like
dependence confusion
to trick users/developers into installing the malicious variant of legitimate packages.For instance, Snyk discovered that PyPI package
testpipper
was malicious and was subsequently taken down by Python Software Foundation. The package attempts to steal Google Chrome data and injects a persistent malicious agent into the discord process. see Snyk blog for more 📂 Zip file of the malicious package testpipper-0.0.1.zipWe need to identify such packages and label them as
Forever Vulnerable
A possible solution could be to have a separate repository (say
EvilHunter
)New Malicious Package Detection
request along with the POCs or IOCsExisting Malicious Package Identification
request along with relevant and credible citation/s.VulnerableCode
can then run a special improver ( MalicousPackageDetectionImprover ) and tag them asForever Vulnerable
See also: