Protection needs a multi-layered approach: Experts are treating the chimera-sandbox-extension incident as more than just another malicious package takedown. While JFrog acted quickly”, alerting PyPI maintainers, removing the package, and updating its Xray scannerresearchers agree that a one-time fix isn’t enough.”Within the last five years, attackers have leveraged PyPI and other package managers to exploit developer trust through typosquatting and supply chain attacks,” said Fletcher Davis, senior security research manager and BeyondTrust. “The chimera-sandbox extensions incident underscores that traditional security approaches are insufficient against modern supply chain threats. Supply chain security requires a proactive, multi-layered approach combining technical controls, process improvements, and continuous monitoring rather than relying solely on reactive measures.”More specifically, Jason Soroko, senior fellow at Sectigo, said banning direct “PiP” and “uv” installs from public indexes can help. “Mirror approved dependencies in an internal repository and enforce hash pinning in lockfiles,” he added. “Scan all incoming packages with static and dynamic analysis to detect DGA calls and credential”‘harvesting code observed in chimera”‘sandbox”‘extensions. Automate removal of outdated or unused dependencies.” Abuse of open-source package managers has surged in recent years, driven by their massive reach and the potential for widespread impact through millions of daily downloads. In recent findings, attackers leveraged the npm package manager to push malicious packages for erasing entire production systems, spying on DevOps machines, and planting stealers and RCE malware.
First seen on csoonline.com
Jump to article: www.csoonline.com/article/4008240/malicious-pypi-package-targets-chimera-users-to-steal-aws-tokens-ci-cd-secrets.html
