GitHub has paused alerting developers of malware via its Dependabot service, which analyzes project dependencies in order to report on issues and optionally generate automatic pull requests to fix them.
The reason given is that “some organizations have been impacted with Dependabot alerts from these malware advisories that may be false positives.”
Maintaining the security of dependencies is a big issue for developers, who may not even be aware of all the software libraries consumed by their code. Tools like npm (Node Package Manager) automatically download packages with their dependencies and place them in subdirectories such as node_modules in order to avoid distracting developers from the code they are writing.
The downside is that this is somewhat hidden and over-reliance on this kind of automation can lead to unknowingly including insecure software in a project. Another issue is out of date dependencies, perhaps even in libraries that are no longer maintained so that security issues are not fixed.
Dependabot is a GitHub feature that automatically scans a repository to discover such issues. The service uses a database called the GitHub Advisory Database and last month this was expanded to include malware advisories though GitHub also noted that “Dependabot does not send update pull requests for malware as the only resolution is to delete the package and find an alternative.”
Ideally malware would not find its way into package repositories but they are an attractive target for criminals since the prize is automated inclusion into the victim’s applications.
Repository maintainers are making progress with protections like mandatory MFA for publishers but this is a long way from full implementation for the most popular repositories. User account compromise is one common cause of malware, as happened with the ctx package in PyPI at the end of May.
Why the false positives? The problem, according to the GitHub team, is related to a type of attack called substitution, where malicious users publish packages with the same name as one that developers may rely on in a third-party or private registry. Dependabot…