What you need to look out for when installing packages from public repositories
In this Help Net Security video, Ax Sharma, Senior Security Researcher at Sonatype, talks about the risks posed by malicious open source packages.
Malicious packages can harm systems in many different ways. They can cause a simple proof of concept hacking, data exfiltration, passive cryptomining and outright sabotage.
The most common malicious packages seen:
- Typosquatting and brandjacking
- Dependency confusion
- Hijacked legitimate libraries
Self-sabotage by maintainers of popular projects is another trend developers should be aware of when installing packages from public repositories.