Lofygang Uses Malicious Packages to Poison Open Source Software

Hackers are using compromised open source software “packages” to steal credit card data, credentials and other data before selling it on underground forums.

The researchers who announced the attack, Checkmarx, found 200 compromised packages, but that is just the tip of the iceberg.

These attackers may be operating out of Brazil, but this is a general problem and we have seen it before in other software languages.

In general, it is relatively easy in the open source world to upload packages which have useful functionality along with a few extra “features”.

If developers are not reviewing the code closely enough before integrating it into their software, legitimate software is now delivering malware.

There are many ways to implement this sort of supply chain attack and hackers are using different ones at different times and between different groups.

While the objective is not to poison the overall open source world, if a company winds up accidentally delivering malware to their customers this way, my suspicion is that open source code at that company will be avoided, even at the extra cost and time of writing routines internally that could be downloaded off the net. And, of course, the company will have to deal with the inevitable lawsuits that will follow.

This means that development teams need to up their game in “validating” open source software.

If you need help building a secure software development program, please contact us.

Credit: Dark Reading