Was it worth breaking the copies – Newspaper Kommersant No. 142 (7343) dated 08/06/2022
[ad_1]
The core community involved in the development of open source solutions has found more than 35,000 library clones in the public GitHub repository, disguised as the original and containing malicious elements. The threat is significant in Russia, where developers do not always carefully check free solutions, experts point out.
Users of the largest repository (public repository) GitHub found more than 35,000 clones of popular open source packages infected with malware. This was first reported by software developer Steven Lacy on his Twitter account, calling the incident a “widespread malware attack.” In particular, clones of a number of popular solutions, for example, in the Python language, have defects that allow unauthorized access to data (algorithm backdoors). Representatives of the international community in specialized forums believe that this incident is dangerous, because users without product verification may not distinguish a copy of the code from its high-quality original and, using the code, infect their systems. The appearance of such a code prevents users from receiving updates, and also significantly reduces the development of their own products based on Open Source software, explains Alexander Sysoev, head of infrastructure solutions at Croc IT company.
Experts assess the degree of danger of the incident for developers in Russia in different ways. Pavel Korostelev, head of the product promotion department at Code of Security, believes that the threat is relevant for those companies that use open source to create internal solutions: “As a rule, companies tend to check such code less carefully, because the speed of product release is important to them.” Anyone who develops and uses the appropriate libraries can suffer, Dmitry Shmoylov, head of the Kaspersky Lab software security department, insists: “The danger arises when you start using a library with an erroneous name.” Since the spring of this year, information about malicious code in free software products has often appeared on the net, recalls Alexander Sysoev.
Since the end of February, specialized companies in Russia have noted a sharp increase in malicious elements (bookmarks) of open source software hosted in repositories: by June, their number had increased by almost 20 times compared to last year. Bookmarks could contain provocative content or calls for politically motivated actions (see Kommersant of June 6).
In connection with the increasing incidence of incidents, it is necessary to develop our own Russian repositories, where all software packages are thoroughly checked before they are included and everyone has a responsible person, especially when it comes to platform and system software, Grigory Sizonenko, CEO of IVK, insists. In Russia, the appearance of a national repository was scheduled for December 2022, this follows from the draft government decree of February 10. According to the regulation.gov.ru portal, the document is still undergoing public discussion. Controls the creation of the repository of the Ministry of Digital Development. It is planned to host open source software products developed by departments and subjects of the Russian Federation, as well as commercial companies (see Kommersant dated February 10). The Ministry of Digital Development reported that at the moment the Ministry of Digital Development and ANO “Open Source” form the requirements for the national repository.
[ad_2]
Source link
