this post was submitted on 24 Aug 2023
64 points (93.2% liked)

Rust Programming

8191 readers
2 users here now

founded 5 years ago
MODERATORS
top 5 comments
sorted by: hot top controversial new old
[–] BB_C@programming.dev 15 points 1 year ago (1 children)

Yay. My first ad-masquerading-as-a-genuine-post experience on Lemmy!

Thus, we’ve developed a cargo extension that transparently queries the Phylum API for information about a package before it’s allowed to build.

Only our* malware-like behaviour is blessed. Because it's a feature. And research-based. And security-oriented. And commercial! We told you about it beforehand and sold you the idea.

* Assuming the malware discovered is not theirs too.

[–] expertmadman@sh.itjust.works 5 points 1 year ago* (last edited 1 year ago)

I'm one of the co-founders @ Phylum. We have a history of reporting these attacks/malware to the appropriate organizations. We work closely with PyPI, NPM, Github, and others - and have reported thousands of malicious packages in the last few years. If you were following GIthub's recent security advisory, you can see a shout-out for some of our previous work. There are also public thanks from the Crates.io team for our efforts over on HN.

I say all this to assure you we didn't write or release this malware. It just wouldn't make sense, especially when these open-source ecosystems contain so much malware for us to hunt and report on already. Though I get the logic, we have seen other security companies do this - and called them out for it.

Our platform is free for developers and small teams (heck, I'll give anyone who asks for it a free pro account if you really need it). We've open-sourced our CLI and sandbox that limits access to network/disk/env during package installation. We're genuinely - really - trying to help make these ecosystems safer.

[–] krnl386@lemmy.ca 12 points 1 year ago

Thanks for sharing. Very nice writeup.

[–] Lucky@lemmy.ml 7 points 1 year ago (1 children)

Another way to mitigate type squatting would be namespacing crates. Much easier to verify who owns the package and related packages

[–] Vorpal@programming.dev 2 points 1 year ago

Doesn't really help: what if you typo the namespace instead? Same exact issue. Namespaces are useful for other things though, but not security.