LastPyMile: a lightweight approach for securing Python ecosystem from software supply chain attacks


Software supply chain attacks aim to inject malicious code into a software product. However, current solutions to vetting the published artifacts are resource-demanding and generate many false positives. Thus, scanning again all and whole ‘most likely good but modified’ packages is hard to manage for FOSS downstream users. In other words, if scanning one file in a package is feasible but not enough and reviewing an entire package is unfeasible due to the high number of false positives, a different solution is needed.

A key observation in the most common software supply chain attacks (typosquatting and hijacked packages) is that only a minimal part of the source code has been tampered with by attackers. Instead, one could focus on the last mile discrepancy between the source code and distributed artifacts (e.g., those present in PyPI). This practice is motivated by the reproducible builds: it is suspicious if the code in the source code repository differs from the code in the artifacts distributed in the package repository.

We will present a single, yet practical approach called LastPyMile to identify discrepancies between the source code and their respective packages. By cleverly combining package scraping and artifact hashing, we can extract the differences in a scalable way. In particular, LastPyMile enables checking the entire codebase of a published artifact 16x faster than the baseline git log approach.

Our empirical assessment of more than 2000 popular packages in PyPI with an analysis of around 10M lines of code shows several differences in the wild: modifications cannot be just attributed to malicious injections. In particular, we observe that, on average there are 5.8% of artifacts and 2.6% of files have changes in Python files.

LastPyMile can be used to extend current package scanning practices for malware injection (which only covers less than 1% of the code of deployed packages) by filtering either the input or the output of such security scanners. LastPyMile reduces the number of alerts produced by a malware checking tool to a number that a human can check. We checked our approach against known malicious packages from the real attacks, and we found that LastPyMile can detect all of them. Also, it removes all the alerts from benign packages, allowing a clear distinction between benign and malicious packages.