Attackers leverage PyPI to sideload malicious DLLs

Welcome to the latest edition of Chainmail: Software Supply Chain Security News, which brings you the latest software supply chain security headlines from around the world, curated by the team at ReversingLabs.

This week: Attackers leverage PyPI to sideload malicious DLLs. Also: GitHub CoPilot makes insecure code even less secure. 

This Week’s Top Story

Attackers leverage PyPI to sideload malicious DLLs

Earlier this week, RL researchers shared their discovery of two suspicious packages on the Python Package Index (PyPI), an open-source package manager. The two packages, NP6HelperHttptest and NP6HelperHttper, were observed using DLL sideloading, a well-documented technique that malicious actors use to execute code without attracting the attention of security monitoring tools. 

This latest discovery suggests that the scope of software supply chain threats is continuing to expand, and that the trend of open-source platforms and code being used for a growing and diversifying range of malicious activity is continuing.

RL researchers spotted the two packages while undergoing their routine monitoring of open source repositories, specifically to find packages with combinations of suspicious behaviors that experts believe are indicative of malicious activity. Further investigation showed that the targets of these packages were two legitimate PyPI packages that are helper tools originally published by a PyPI developer with the username NP6.

The RL team noticed that NP6 is a marketing automation tool developed by the firm Chapvision. However, the NP6 PyPI account that uploaded the legitimate packages is not an official Chapvision account, but rather a personal account linked to a Chapvision developer. ReversingLabs shared the finding with the firm, and Chapvision was able to confirm that the legitimate packages were published by one of their employees. At around the same time, RL researchers noticed that the same helper tools were then removed from PyPI. 

The threat actors who uploaded the two malicious packages, which employ typosquatting, likely were aiming to trick legitimate developers into downloading and opening them. Developers may have confused these malicious packages with the legitimate helper tools uploaded by NP6. (ReversingLabs) 

This Week’s Headlines

GitHub Copilot makes insecure code even less secure

GitHub’s AI-powered coding assistant, GitHub Copilot, may suggest insecure code when the user’s existing codebase contains security issues, according to Snyk. The assistant can replicate existing security issues in code, the company said in a blog post: “This means that existing security debt in a project can make insecure developers using Copilot even less secure.” However, GitHub Copilot is less likely to suggest insecure code in projects without security issues, as it has less insecure code context to draw from. (InfoWorld)

How to combat CI/CD security anti-patterns

Techstrong Research released a new report, “Tackling CI/CD Security Anti-Patterns,” which sheds light on the evolving landscape of continuous integration/continuous deployment (CI/CD) pipeline security. The report draws from the collective wisdom and experiences of professionals across DevOps, DevSecOps, software development and security disciplines. This article shares the key takeaways from the new report, in addition to recommendations for how to address CI/CD pipeline security moving forward. (DevOps.com)

NIST offers concrete steps for secure software development

Recommendations from the U.S. federal government about securing software supply chains can be generic — but experts say new guidance published by the U.S. National Institute of Standards and Technology (NIST) offers actual concrete steps. The new guidance, SP 800-204D, is NIST’s final guideline for software providers on implementing the building blocks of supply chain security assurances into CI/CD pipelines. It recommends that manufacturers prioritize a series of actionable measures, including establishing baseline security requirements for integrating open-source software and expanding oversight of provenance data. (Bank Info Security)

Why DevOps is key to software supply chain security

DevOps is designed to increase business value and responsiveness through rapid, high-quality service delivery, made possible through fast-paced, iterative IT service delivery. However, with the barrage of attacks on the software supply chain showing no signs of abating, the question now is whether even the tightest DevOps pipelines can maintain the pace-protection balance. This article explains how DevOps teams can best implement federal requirements, guidelines and recommendations for best executing DevOps in a way that maintains the speed of business while upholding software supply chain security. (DevOps.com)

The psychology of security team burnout

A 2023 Gartner report stated that up to half of cybersecurity leaders are likely to switch jobs in the next two years. The inability to anticipate developing threats may be a contributor, due to staff simply not having the time to stay on top of new threats. Also, it’s likely that burnt-out staff miss obvious cues and make mistakes that allow cyberattackers to penetrate their networks. This article explores the causes that have led to the current state of cybersecurity burnout, and how organizations can best move forward. (Information Week)

Resource Roundup

Webinar | Trust Secured: Conquer Software-Based Threats in the CI/CD Pipeline

Thursday, February 29th at 11am ET

Register now for this DigiCert co-hosted webinar to learn how to upgrade your CI/CD pipeline through the synchronization of binary analysis, threat detection, and secure code signing to confront the enormous negative impacts of software supply chain attacks. [Register here] 

The Buyer’s Guide to Software Supply Chain Security

This guide examines key features and capabilities software producers and buyers need to modernize their application security tooling for the new era of software supply chain security. [Get it here]