rhalar
commented
2 days ago Hi! I work for ReversingLabs and have been responsible for our OSSF integration.
So, to clarify our process; we track multiple sources for malware activity on a number of repositories, and we also do our own internal research where we try to catch malicious packages and classify, and report them, as soon as possible. We own a large database of malicious packages with supporting metadata, but we currently limit our output on the OSSF to packages we think we independently found and reported, based on all available information we are aware of (alongside some other criteria, but I don't think that matters here).
It's quite possible that something we claim to have found was also found by you and reported earlier, but we have no way of knowing since no public information is available (that we are aware of that is; please direct us to a source if it's available!), and some repository maintainers weren't quite open in sharing security info with us, so we work with what we have. Alternatively, our tracking might be buggy, which also isn't out of the question :) But, anything we report as found by us has the requirement that it was independently found by our researchers, any kind of missing attribution is completely unintentional!
Some repositories also have a limit on reports strangely enough, I think NPM is an example. So sometimes we do find malicious packages a lot earlier but aren't able to report them until they allow us to. We try to at least check that the package was not already removed by the time we find it.
Anyhow, we'd love to correct any misattribution we might have done ourselves, but to do so automatically we have to enter a record with a reference of a reporter (along with the report time) to our database. Is there a way you could, and would be willing to, provide something of the sort?
Alternatively you can also open a PR and fix it yourselves, the automated ingestion shouldn't override the edits and the OSSF can do the validation it that case.
However, I don't think there is a limit to credit entries with the FINDER type so it's possible that both attributions could stay, unless you insist we remove ours. I'm not sure if the OSSF has a policy on this?
We apologize for any apparent slights, hope we can resolve it quickly!
As part of the Macaron package, we have identified several malicious Python packages in your records that have been incorrectly attributed to ReversingLabs as the FINDER. Two examples are the manyhttps and multiconnection packages. We are happy to provide confirmation emails from the PyPI security team for our reports. How can we share this information to update your records?