Moreover, there are no safeguards at the repository level to detect bad packages. “Anyone can write a piece of code and just upload it to those platforms,” Yehuda Gelb, research engineer at Checkmarx, tells CSO. “For instance, in Python, you can just create a Python package and upload it, and there’s no one really in PyPi that says, ‘okay, you can’t upload this’ unless someone like us catches them, and then we report it to them, and they take it down.”

The code repositories do what they can to screen out bad packages, but ensuring that the tens of thousands of packages they receive each day are malware-free is not their job. “The problem is that content uploaded to open-source registries are not vetted,” Jossef Harush, head of software supply chain security at Checkmarx, tells CSO. “

“If I want to publish a GitHub repository, I can do that,” Harush says. “It’s going to be public in a snap. I don’t have any filters doing so. If someone reports my GitHub repository as containing malware, then the GitHub security teams would get involved. It would take them time, and most likely, after that, the malware package would get removed or hidden from the public. But that relies on the community flagging those contributions as bad.”