Skip to main content

TH15501

Detected presence of files with behaviors similar to malicious packages published on PyPI.

priorityCI/CD statusseverityeffortSAFE levelSAFE assessment
passhighhighNonetampering: warning
Reason: suspicious application behaviors

About the issueโ€‹

Software components contain executable code that performs actions implemented during its development. These actions are called behaviors. In the analysis report, behaviors are presented as human-readable descriptions that best match the underlying code intent. Python Package Index (PyPI) repository is often abused by threat actors to publish software packages that exhibit malicious behaviors. Malware authors use numerous tactics to lure developers into including malicious PyPI packages in their software projects. Most malicious packages published on PyPI target developers and their workstations. However, some are designed to activate only when deployed in the end-user environment. Both types of Python malicious packages are detected by proprietary ReversingLabs threat hunting algorithms. This detection method is considered proactive, and it is based on Machine Learning (ML) algorithms that can detect novel malware. The detection is strongly influenced by behaviors that software components exhibit. Behaviors similar to previously discovered malware and software supply chain attacks may cause some otherwise benign software packages to be detected by this policy.

How to resolve the issueโ€‹

  • Investigate reported detections.
  • If the software intent does not relate to the reported behavior, investigate your build and release environment for software supply chain compromise.
  • You should delay the software release until the investigation is completed, or until the issue is risk accepted.
  • Consider rewriting the flagged code without using the marked behaviors.

Incidence statisticsโ€‹

ReversingLabs periodically collects and analyzes the contents of popular software package repositories for threat research purposes. Analysis results are used to calculate incidence statistics for issues (policy violations) that Spectra Assure can detect in software packages.

This section is updated when new data becomes available.

Total amount of packages analyzed

  • RubyGems: 183K
  • Nuget: 644K
  • PyPi: 628K
  • NPM: 3.72M
Statistics are not collected for the TH15501 policy at this time, or not applicable to this type of issue.