Using the Trusty API to discover for deprecated and malicious packages.

This content originally appeared on DEV Community and was authored by Luke Hinds

Following on from my last post on using the Trusty API for source of origin provenance, this post will expand to how you can get a view on packages state of maintenance and risk.

Deprecated Packages

Let's first consider a real world, case. As a developer you're tasked with building an OAuth2 framework for Python. Like most of us, you will likely start with a google search. Opening an incognito session , we see the second result references a package on pypi:

Looking at the PyPi page shows a green 'Latest Version' button:

All, looks good. The last release was a while ago, but it is possible for a project to have limited exposure to other dependencies and a good definition of done.

However, let's check out the Trusty API and in particular the archived field

curl -sS https://api.trustypkg.dev/v2/pkg\?package_name\=python-oauth2\&package_type\=pypi |jq '.archived'

true

A quick visit to the GitHub repo confirms this is true:

Malicious Packages

Let's take a recent attack discovered by Trusty, where a popular Python package "requests" was typo-squatted with a package name "requestn".

curl -sS https://api.trustypkg.dev/v2/pkg\?package_name\=requestn\&package_type\=pypi |jq '.malicious'
{
  "summary": "Malicious code in requestn (PyPI)",
  "details": "This package is considered malicious because it extracts OS files of the localhost and sends the contents to an unknown Telegram channel.",
  "published": "2024-06-06T13:18:09Z",
  "modified": "2024-06-06T13:18:09Z",
  "source": "https://osv.dev/vulnerability/MAL-2024-1547"
}

Visiting the referenced OSV link shows this is in fact a malicious package

As mentioned in my previous post, Trusty's API's are public and available for others to build upon. Have a good idea for a possible integration with our API? I would love to learn more, please let me know on X @decodebytes or via a comment on this post.

This content originally appeared on DEV Community and was authored by Luke Hinds

Print Share Comment Cite Upload Translate Updates

APA

Luke Hinds | Sciencx (2024-06-20T10:47:23+00:00) Using the Trusty API to discover for deprecated and malicious packages.. Retrieved from https://www.scien.cx/2024/06/20/using-the-trusty-api-to-discover-for-deprecated-and-malicious-packages/

MLA

" » Using the Trusty API to discover for deprecated and malicious packages.." Luke Hinds | Sciencx - Thursday June 20, 2024, https://www.scien.cx/2024/06/20/using-the-trusty-api-to-discover-for-deprecated-and-malicious-packages/

HARVARD

Luke Hinds | Sciencx Thursday June 20, 2024 » Using the Trusty API to discover for deprecated and malicious packages.., viewed ,<https://www.scien.cx/2024/06/20/using-the-trusty-api-to-discover-for-deprecated-and-malicious-packages/>

VANCOUVER

Luke Hinds | Sciencx - » Using the Trusty API to discover for deprecated and malicious packages.. [Internet]. [Accessed ]. Available from: https://www.scien.cx/2024/06/20/using-the-trusty-api-to-discover-for-deprecated-and-malicious-packages/

CHICAGO

" » Using the Trusty API to discover for deprecated and malicious packages.." Luke Hinds | Sciencx - Accessed . https://www.scien.cx/2024/06/20/using-the-trusty-api-to-discover-for-deprecated-and-malicious-packages/

IEEE

" » Using the Trusty API to discover for deprecated and malicious packages.." Luke Hinds | Sciencx [Online]. Available: https://www.scien.cx/2024/06/20/using-the-trusty-api-to-discover-for-deprecated-and-malicious-packages/. [Accessed: ]

rf:citation

» Using the Trusty API to discover for deprecated and malicious packages. | Luke Hinds | Sciencx | https://www.scien.cx/2024/06/20/using-the-trusty-api-to-discover-for-deprecated-and-malicious-packages/ |

Please log in to upload a file.

There are no updates yet.
Click the Upload button above to add an update.

You must be logged in to translate posts. Please log in or register.