These act as a central space for getting essential packages and come in very handy during the development cycle of software.
But, as we all know. Significant services such as these attract a lot of unwanted attention from malicious actors.
A recent research report by Sonatype has brought forward some very concerning things happening in these popular software repositories.
Allow me to explain the situation to you.
What were the findings?: Last month, when the security researchers at Sonatype ran their AI-enabled tooling, they caught 691 malicious packages in the npm registry and 49 in the PyPI registry.
The first one is a package that depends on all the publicly available npm packages, and the second one claims that all of its packages are part of the first one (no-one-left-behind).
You see how this can cause a headache.
Say someone wants to take their package off the repository; well, they cannot, as packages in the npm public registry cannot be unpublished if there are packages that depend on it.
So, now your package is stuck in limbo due to some obscure package preventing you from unpublishing.
That is not all; the security researchers also found that the npm registry has seen a notable uptick in cryptocurrency miners, with many of these impersonating well-known legitimate packages.
Whereas, in the case of PyPI, the same author (sexydev1337) has published packages that contain heavily obfuscated code (using Hyperion).
The researchers found that the code can execute scripts to download and run malicious binaries from external servers and even replace executables.
Furthermore, they also noticed that many malicious actors had devised ways to curtail scrutiny done via virtual machines.
How is this being handled?
Luckily, the npm security team removed 'no-one-left-behind' from the repository, and it is now a placeholder with a security risk warning to prevent dependency issues.
But the 'infinitebrahamanuniverse' package is still alive and kicking as they monitor it closely.
Other than that, let us hope we do not find malicious packages regularly from pnp and Pypi.
The suggestion remains - stick to packages you can verify and avoid abandoned or known malicious apps.