In addition, there are no safeguards at the repository level to detect buggy packages. “Anyone can write a piece of code and just upload it to these platforms,” Yehuda Gelb, research engineer at Checkmarx, tells CSO. “For example, in Python, you can just create a Python package and upload it, and with PyPi, there’s no one to say, ‘Okay, you can’t upload that,’ unless someone like us catches them, and then we report it to them, and they take it down.”
The code repositories do their best to weed out bad packages, but ensuring that the tens of thousands of packages they receive every day are free of malware is not their job. “The problem is that content uploaded to open source registries is not reviewed,” Jossef Harush, head of software supply chain security at Checkmarx, tells CSO. “
“If I want to publish a GitHub repository, I can do that,” says Harush. “It will be public in a jiffy. I have no filters on this. If someone reports that my GitHub repository contains malware, the GitHub security teams would intervene. This would take some time and most likely the malware package would be removed or hidden from the public afterward. But this depends on the community flagging these contributions as bad.”
