Yay. My first ad-masquerading-as-a-genuine-post experience on Lemmy!
Thus, we’ve developed a cargo extension that transparently queries the Phylum API for information about a package before it’s allowed to build.
Only our* malware-like behaviour is blessed. Because it's a feature. And research-based. And security-oriented. And commercial! We told you about it beforehand and sold you the idea.
* Assuming the malware discovered is not theirs too.
I'm one of the co-founders @ Phylum. We have a history of reporting these attacks/malware to the appropriate organizations. We work closely with PyPI, NPM, Github, and others - and have reported thousands of malicious packages in the last few years. If you were following GIthub's recent security advisory, you can see a shout-out for some of our previous work. There are also public thanks from the Crates.io team for our efforts over on HN.
I say all this to assure you we didn't write or release this malware. It just wouldn't make sense, especially when these open-source ecosystems contain so much malware for us to hunt and report on already. Though I get the logic, we have seen other security companies do this - and called them out for it.
Our platform is free for developers and small teams (heck, I'll give anyone who asks for it a free pro account if you really need it). We've open-sourced our CLI and sandbox that limits access to network/disk/env during package installation. We're genuinely - really - trying to help make these ecosystems safer.
Thanks for sharing. Very nice writeup.
Another way to mitigate type squatting would be namespacing crates. Much easier to verify who owns the package and related packages
Doesn't really help: what if you typo the namespace instead? Same exact issue. Namespaces are useful for other things though, but not security.