Ideas for social engineering attacks against pypi - fork a project with...
Ideas for social engineering attacks against pypi
- fork a project with reputation. Even real forks are full of the self-asserted claims of identity
- tie your fork to an organization on github. It is just about impossible to tell if an organization is trust worthy or if one of the many people associated with it are trustworthy
Self-replies
Another attack would be to be completely anonymous and exploit what people would trust without thinking about it too much, like taking a dependency on left pad.
3rd attack would be to attack by creating a real, actual useful package that
- is useful for testing
- would be installed on build servers
Because verification (esp informal) is loosy goosy for development dependencies and transitive dependencies.
Defenses:
- Find all claims and find out which ones are self asserted (all of them?)
- Make a tool to ID anonymous users
- 1 anonymous user in a dependency graph & the whole graph is now suspicious
- Find signs of forking
- Tool to distinguish organizations, single users
And if these signals are found then do manual research.