top | item 37442638

(no title)

louislang | 2 years ago

One of the sources referenced in the paper is about the work the company I co-founded is doing (https://phylum.io). We've been working closely with PyPI to not only report issues related to malware, but are also helping provide guidance around on-going work to help curb additional malware in the ecosystem. I think this is a step in the right direction, and one I hope other ecosystems will eventually take.

Though, this is likely to be a cat and mouse game for the foreseeable future. Detection will get better, and attackers will change tactics.

In the meantime, we've been open-sourcing some tooling to help protect developers from these sorts of attacks. Namely, a sandbox that locks down network/disk/env [1] and our CLI [2] that allows you to perform a `pip` install in the sandbox, after checking our API for behaviors/issues with the package. For example:

    phylum pip install <pkgName>

Really glad to see software supply chain security getting some academic, rigorous study. Backstabbers Knife was one of the first I came across, and it's been a consistent stream of papers since.

1. https://github.com/phylum-dev/birdcage

2. https://github.com/phylum-dev/cli

discuss

thenerdhead|2 years ago

> Though, this is likely to be a cat and mouse game for the foreseeable future. Detection will get better, and attackers will change tactics.

How do you see detection ever getting better to the point where it isn't a game of cat and mouse? Isn't the whole point of these security threats that go undetected is that they are novel attacks? Or even popularized attacks with different parameters?

In these trust but verify models of a central registry, it will require some heavy lifting like AI security detection to even keep up with. That seems like a new problem in itself if introduced.