Luke HindsFollowing on from my last post on using the Trusty API for source of origin provenance, this post will expand on the topic and introduce how you can get a view on packages state of maintenance and risk.
Deprecated Packages
Let's first consider a real world, case. As a developer you're tasked with building an OAuth2 framework for Python. Like most of us, you will likely start with a google search. Opening an incognito session , we see the second result references a package on pypi:
Looking at the PyPi page shows a green 'Latest Version' button:
All, looks good. The last release was a while ago, but it is possible for a project to have limited exposure to other dependencies and a good definition of done.
However, let's check out the Trusty API and in particular the archived field
curl -sS https://api.trustypkg.dev/v2/pkg\?package_name\=python-oauth2\&package_type\=pypi |jq '.archived'
true
A quick visit to the GitHub repo confirms this is true:
Malicious Packages
Let's take a recent attack discovered by Trusty, where a popular Python package "requests" was typo-squatted with a package name "requestn".
curl -sS https://api.trustypkg.dev/v2/pkg\?package_name\=requestn\&package_type\=pypi |jq '.malicious'
{
"summary": "Malicious code in requestn (PyPI)",
"details": "This package is considered malicious because it extracts OS files of the localhost and sends the contents to an unknown Telegram channel.",
"published": "2024-06-06T13:18:09Z",
"modified": "2024-06-06T13:18:09Z",
"source": "https://osv.dev/vulnerability/MAL-2024-1547"
}
Visiting the referenced OSV link shows this is in fact a malicious package
As mentioned in my previous post, Trusty's API's are public and available for others to build upon. Have a good idea for a possible integration with our API? I would love to learn more, please let me know on X @decodebytes or via a comment on this post.
