Items tagged with: SoftwareDeveloper
This weekend PyPi, the python software repository, suspended new accounts: the level of malicious activity has become unmanageable.
But this story is not just about Python: the level of risk from software dependencies has risen unimaginably: not a little, not a lot, this is big enough that it is hard to communicate and comprehend.
The number of methods being used for these attacks is growing, and developers are now a "target of choice" for many criminal groups.
For example, in 2022 there was a sudden increase in the number of an effectiveness of "Phishing as a Service" (PhaaS) offerings in criminal markets. These services are effective at bypassing MFA. However, you may not know that these services are being used to target developer accounts, including repositories of private and open-source software. They want to trojanize the code and create the next big software-supply-chain compromise.
PhaaS is just one method. This weekend's announcement from PyPi was the result of criminals creating a large number of developer accounts so that they can publish malicious clones of existing packages. Typosquatting of packages is not a new phenomena, the constant stream of attacks is new.
You might assume that the repository hosts or managers must have a solution. They do not. The problems are diverse and many: from the management of repository hosting, to the security/trust verification features of packaging systems, to the security of repositories and the developers themselves.
There is no one solution, but solutions are needed.
My action item for you is this. Do not read cybesecurity about software repository compromises in isolation. Look at the forest and not the trees. Big risks are harder to understand that little ones but need the most urgent action.
Below are a small selection of stories in the comments to get you started. This is just a tiny fraction of the stories I have read and analyzed in the past year. The "hits just keep on coming".
#SoftwareDeveloper #GitHub #PyPi #NPM #Java #Python #CyberSecurity #PhishingAsAService #ThreatIntelligence #CTI #PhaaS #TypoSquatting #VSCode #Malware #SoftwareSupplyChain
VSCode Marketplace can be abused to host malicious extensions
Threat analysts at AquaSec have experimented with the security of VSCode Marketplace and found that it's surprisingly easy to upload malicious extensions from accounts that appear verified on the platform.Bill Toulas (BleepingComputer)
Hi all! My name is Jeff, and I'm #softwareDeveloper and #maker in the process of relocating to #NewZealand.
Full introduction \ Follows:
My immigration sponsor, #WorkingIn provided the green light to apply for jobs, I'm excited about it. Yesterday I applied for my first two!
#GnuCash #systemsAdministrator #Proxmox, #VMWare, #Redmine, #Owncloud, #ZoneMinder, #sUAS #CPlusPlus , #CSharp, #Python, #homelab #Plex, #mqtt, #proxmox
Attached: 4 images #introduction Hi all! My name is Jeff, and I'm #softwareDeveloper and #maker in the process of relocating to #NewZealand.Mastovillain
I'm a 23yo #SoftwareDeveloper with my own #foss app on the playstore. Daily Driver on PC and #Steamdeck currently #Arch / #steamos.
Favourite games are #csgo #rocketleague #osu #timerborn #forza5 #msfs and #trainsimworld2.
Love tinkering with stuff, running my own #server @ home with #gitlab #homeassistant #nextcloud and more.
Feel free to just ask stuff 😀 #introduction