Japan Blames North Korea for PyPI Supply Chain Cyberattack

  /     /     /  
Publicated : 23/11/2024   Category : security


Japan Blames North Korea for PyPI Supply Chain Cyberattack


Open source software ecosystem compromise leaves developers in Asia and around the globe at risk.



Japanese cybersecurity officials warned that North Koreas infamous Lazarus Group hacking team recently waged a supply chain attack targeting the PyPI software repository for Python apps.
Threat actors uploaded tainted packages with names such as pycryptoenv and pycryptoconf — similar in name to the legitimate pycrypto encryption toolkit for Python. Developers who get tricked into downloading the nefarious packages onto their Windows machines are infected with a dangerous Trojan known as Comebacker.
The malicious Python packages confirmed this time have been downloaded approximately 300 to 1,200 times,
Japan CERT said in a warning issued late last month.
Attackers may be targeting users typos to have the malware downloaded.
Gartner senior director and analyst Dale Gardner describes Comebacker as a general purpose Trojan used for dropping ransomware, stealing credentials, and infiltrating the development pipeline.
Comebacker has been deployed in other cyberattacks linked to North Korea, including an
attack on an npm software development repository.
The attack is a form of typosquatting — in this case, a dependency confusion attack. Developers are tricked into downloading packages containing malicious code, Gardner says.
The latest attack on
software repositories
is a type that has surged over the last year or so.
These types of attacks are growing rapidly — the Sonatype 2023 open source report revealed 245,000 such packages were discovered in 2023, which was twice the number of packages discovered, combined, since 2019, Gardner says.
PyPI is a centralized service with a global reach, so developers worldwide should be on alert for this latest campaign by Lazarus Group.
This attack isnt something that would affect only developers in Japan and nearby regions, Gardner points out. Its something for which developers everywhere should be on guard.
Other experts say non-native English speakers could be more at risk for this latest attack by the Lazarus Group.
The attack may disproportionately impact developers in Asia, due to language barriers and less access to security information, says Taimur Ijlal, a tech expert and information security leader at Netify.
Development teams with limited resources may understandably have less bandwidth for rigorous code reviews and audits, Ijlal says.
Jed Macosko, a research director at Academic Influence, says app development communities in East Asia tend to be more tightly integrated than in other parts of the world due to shared technologies, platforms, and linguistic commonalities.
He says attackers may be looking to take advantage of those regional connections and trusted relationships.
Small and startup software firms in Asia typically have more limited security budgets than do their counterparts in the West, Macosko notes. This means weaker processes, tools, and incident response capabilities — making infiltration and persistence more attainable goals for sophisticated threat actors.
Protecting application developers from these software supply chain attacks is difficult and generally requires a number of strategies and tactics, Gartners Gardner says.
Devs should exercise increased caution and care when downloading open source dependencies. Given the amount of open source used today and the pressures of fast-paced development environments, its easy for even a well-trained and vigilant developer to make a mistake, Gardner warns.
This makes automated approaches to managing and vetting open source an essential protective measure, he adds.
Software composition analysis (SCA) tools can be used to evaluate dependencies and can help in spotting fakes or legitimate packages that have been compromised, Gardner advises, adding that proactively testing packages for the presence of malicious code and validating packages using package managers also can mitigate risk.
We see some organizations establishing private registries, he says. These systems are supported by processes and tools that help vet open source to ensure its legitimate and doesnt contain vulnerabilities or other risks, he adds.
While developers can take steps to lower exposure, the onus falls on platform providers like PyPI to prevent abuse, according to Kelly Indah, a tech expert and security analyst at Increditools. This is not the first time
malicious packages
have been slipped onto the
platform
.
Developer teams in every region rely on the trust and security of key repositories, Indah says. This Lazarus incident undermines that trust. But through enhanced vigilance and a coordinated response from developers, project leaders, and platform providers, we can work together to restore integrity and confidence.

Last News

▸ 7 arrested, 3 more charged in StubHub cyber fraud ring. ◂
Discovered: 23/12/2024
Category: security

▸ Nigerian scammers now turning into mediocre malware pushers. ◂
Discovered: 23/12/2024
Category: security

▸ Beware EMV may not fully protect against skilled thieves. ◂
Discovered: 23/12/2024
Category: security


Cyber Security Categories
Google Dorks Database
Exploits Vulnerability
Exploit Shellcodes

CVE List
Tools/Apps
News/Aarticles

Phishing Database
Deepfake Detection
Trends/Statistics & Live Infos



Tags:
Japan Blames North Korea for PyPI Supply Chain Cyberattack