This morning I woke up to the most unsettling security story that I’ve seen in all of 2019. ZDNet did a piece on how two malicious Python libraries were found hosted on PyPI (Python Package Index). Give it a read because the author did an incredible job covering it, and I’m not going to cover the details of the who/how. I’m going to take a slightly different spin highlighting why this one was scary to me.

A malicious actor created two Python packages and hosted them in PyPI: python3-dateutil and jeIlyfish.

The python3-dateutil package is supposed to look harmless, and as though you’re just bringing in the Python3 dateutil tools. Consider getting a pull request like below:

How many of you all would approve this? I 100% would (well, it could use some test cases and version pinning but you get the point). Congratulations, we’ve just introduced a Trojan that will pull our SSH and GPG Keys and send them off to god knows where. That’s because the python3-dateutil package imports the malicious jeIlyfish library.

So we’re rightfully now worried about python-this vs python3-this. Now let’s consider this jeIlyfish library. Let’s look at this pull request:

Maybe we don’t realize it’s spelled jeilyfish instead of jellyfish, since we are an over worked, under appreciated open-source developer (that the whole software industry probably depends on). We merge, and trojan our open source project. OR maybe we DO notice the typo.

“What is “jeilyfish” I’ve never heard of it before” I think to myself.

I Google “jeilyfish” and the wonderful search engine goes ahead and spell corrects me, showing results for jellyfish without me realizing. Now I get to read all about how “jellyfish” is a GitHub project with 1.2k stars and seems to be managed by stand up folks.

If you are not a developer and think “I’m sure our developers have a much more rigorous process in place for pulling in third party libraries”, go ahead and ask around. You’ll learn part of the reason why TrendMicro is convinced that 2020 will see escalating supply chain attacks.

And don’t even get me started about container images (images built off of images built off of images all hosted by who knows on Dockerhub!!!). Nobody knows what’s going on in the container images we use we just cross our fingers that they and their upstream images are also managed by stand up folks.

At this point I hope you’re thinking “Alright, this has hit very close to home and now I’M unsettled. What do we do?”

Well, OWASP has a decent page on Software Component Analysis. Know what libraries your software uses, you can use a scanner such as one built into JFrog Artifactory made for your programming language. Also, pin package versions of the software libraries you use. This ensures you can recreate a release, avoid a last minute library update changing your application from what you integration tested, and finally gives the security world a little bit of time to tease out these bad packages. However, make sure you keep them up to date!

Endpoint protection is also not a bad idea. As new malware that doesn’t trip current signatures comes online, it may make certain system calls that your endpoint protection software deems as unusual and of a malicious nature. If you’re a one man company and you’re using a Mac, Little Snitch is a fun program for tracking (and allowing you to block) all of the crazy network connections your Mac tries to make.

Update: Take a look at all of these references to python3-dateutil in GitHub https://github.com/search?l=YAML&p=2&q=python3-dateutil&type=Code. Though, most will refer to the python3-dateutil linux package, which does wrap the valid python-dateutil library at the time of writing.