64
Rust Malware Staged on Crates.io (blog.phylum.io)
submitted 1 year ago by wolf4ood@lemmy.ml to c/rust@lemmy.ml
5 comments fedilink hide all child comments
top 5 comments
sorted by: hot top controversial new old
[-] BB_C@programming.dev 15 points 1 year ago

Yay. My first ad-masquerading-as-a-genuine-post experience on Lemmy!

Thus, we’ve developed a cargo extension that transparently queries the Phylum API for information about a package before it’s allowed to build.

Only our* malware-like behaviour is blessed. Because it's a feature. And research-based. And security-oriented. And commercial! We told you about it beforehand and sold you the idea.

* Assuming the malware discovered is not theirs too.

[-] expertmadman@sh.itjust.works 5 points 1 year ago* (last edited 1 year ago)

I'm one of the co-founders @ Phylum. We have a history of reporting these attacks/malware to the appropriate organizations. We work closely with PyPI, NPM, Github, and others - and have reported thousands of malicious packages in the last few years. If you were following GIthub's recent security advisory, you can see a shout-out for some of our previous work. There are also public thanks from the Crates.io team for our efforts over on HN.

I say all this to assure you we didn't write or release this malware. It just wouldn't make sense, especially when these open-source ecosystems contain so much malware for us to hunt and report on already. Though I get the logic, we have seen other security companies do this - and called them out for it.

Our platform is free for developers and small teams (heck, I'll give anyone who asks for it a free pro account if you really need it). We've open-sourced our CLI and sandbox that limits access to network/disk/env during package installation. We're genuinely - really - trying to help make these ecosystems safer.

[-] krnl386@lemmy.ca 12 points 1 year ago

Thanks for sharing. Very nice writeup.

[-] Lucky@lemmy.ml 7 points 1 year ago

Another way to mitigate type squatting would be namespacing crates. Much easier to verify who owns the package and related packages

[-] Vorpal@programming.dev 2 points 1 year ago

Doesn't really help: what if you typo the namespace instead? Same exact issue. Namespaces are useful for other things though, but not security.

this post was submitted on 24 Aug 2023
64 points (93.2% liked)

Rust Programming

7734 readers
1 users here now

founded 5 years ago
MODERATORS
nutomic@lemmy.ml
Joe@lemmy.ml
AgreeableLandscape@lemmy.ml