Month: November 2021

Enlarge (credit: Getty Images)

PyPI—the open source repository that both large and small organizations use to download code libraries—was hosting 11 malicious packages that were downloaded more than 41,000 times in one of the latest reported such incidents threatening the software supply chain.

JFrog, a security firm that monitors PyPI and other repositories for malware, said the packages are notable for the lengths its developers took to camouflage their malicious code from network detection. Those lengths include a novel mechanism that uses what’s known as a reverse shell to proxy communications with control servers through the Fastly content distribution network. Another technique is DNS tunneling, something that JFrog said it had never seen before in malicious software uploaded to PyPI.

A powerful vector

“Package managers are a growing and powerful vector for the unintentional installation of malicious code, and as we discovered with these 11 new PyPI packages, attackers are getting more sophisticated in their approach, Shachar Menashe, senior director of JFrog research, wrote in an email. “The advanced evasion techniques used in these malware packages, such as novel exfiltration or even DNS tunneling (the first we’ve seen in packages uploaded to PyPI) signal a disturbing trend that attackers are becoming stealthier in their attacks on open source software.”

Enlarge (credit: Degui Adil / Getty Images)

It is often said that the difference between science and superstition is that science is reproducible. Unfortunately, many scientific papers aren't, making them about as reliable as superstition.

Since the mid-1600s, the output from a typical scientific study has been an essay-style journal article describing the results. But today, in fields ranging from astronomy to microbiology, much of the technical work for a journal article involves writing code to manipulate data sets. If the data and code are not available, other researchers can't reproduce the original authors' work and, more importantly, may not be able to build upon the work to explore new methods and discoveries.

Thanks to cultural shifts and funding requirements, more researchers are warming up to open data and open code. Even 100-year-old journals like the Quarterly Journal of Economics or the Journal of the Royal Statistical Society now require authors to provide replication materials—including data and code—with any quantitative paper. Some researchers welcome the new paradigm and see the value in pushing science forward via deeper collaboration. But others feel the burden of learning to use distribution-related tools like Git, Docker, Jupyter, and other not-quite words.

Enlarge / Launch of Vega VV20 on Nov. 16, 2021, from Europe’s Spaceport in French Guiana. (credit: ESA/CNES/Arianespace)

Welcome to Edition 4.24 of the Rocket Report! This will be the last newsletter for the month of November, as I'll be taking off next week for the Thanksgiving holiday. But the Rocket Report will return in December when there will be several important launches, none more so than the James Webb Space Telescope.

As always, we welcome reader submissions, and if you don't want to miss an issue, please subscribe using the box below. (The form will not appear on AMP-enabled versions of the site.) Each report will include information on small-, medium-, and heavy-lift rockets, plus a quick look ahead at the next three launches on the calendar.

Rocket Lab tests helicopter recovery. In some ways, Rocket Lab's "Love at First Insight" launch on Wednesday evening was routine, delivering another two BlackSky satellites into low Earth orbit. This was the Electron rocket's 22nd overall launch, and the company says it has now launched a total of 107 satellites. As with a handful of previous missions that have experimented with first-stage reuse, the Electron booster made a controlled splashdown in the Pacific Ocean.