March 10, 2024 at 08:02PM
Japanese cybersecurity officials issued a warning about North Korea’s Lazarus Group targeting the PyPI software repository with tainted Python packages, infecting Windows machines with the Comebacker Trojan. Gartner’s Dale Gardner describes Comebacker as a general purpose Trojan. The attack is a form of typosquatting and may disproportionately impact developers in Asia due to language barriers. Protecting developers from such attacks requires caution, automated approaches, and SCA tools. The responsibility to prevent abuse falls on platform providers like PyPI.
From the meeting notes, it is evident that the Lazarus Group has recently targeted the PyPI software repository for Python apps through a supply chain attack. The threat actors uploaded tainted packages with names similar to legitimate ones, tricking developers into downloading the malicious packages onto their Windows machines, infecting them with the Comebacker Trojan.
The attack has been confirmed to have affected approximately 300 to 1,200 downloads, thereby posing a significant risk to developers and users worldwide. Gartner senior director and analyst Dale Gardner describes Comebacker as a general purpose Trojan used for dropping ransomware, stealing credentials, and infiltrating the development pipeline.
Furthermore, the attack is a form of typosquatting and has been described as a type of attack that has surged over the last year. The surge in these types of attacks was highlighted in Sonatype’s 2023 open source report, revealing a concerning increase in such packages since 2019.
The impact of the attack may disproportionately affect developers in Asia, especially non-native English speakers, due to language barriers and limited access to security information. The attack aims to take advantage of regional connections and “trusted relationships,” making it imperative for developers and platform providers to work together to restore integrity and confidence in key repositories like PyPI.
To defend against these software supply chain attacks, strategies and tactics such as exercising increased caution and care when downloading open source dependencies, using automated approaches for managing and vetting open source, deploying software composition analysis (SCA) tools, and establishing private registries supported by processes and tools to vet open source are recommended.
It is clear that a coordinated response from developers, project leaders, and platform providers is necessary to protect against these attacks and restore trust and security in key repositories like PyPI.