How Malicious Dependencies Exploit Developer Trust and What You Can Do to Stay Secure
Introduction: The Open-Source Threat: How Attackers Exploit Software Dependencies
Open-source software has revolutionized development, driving innovation and collaboration worldwide. But with its rise comes a growing security risk—supply chain attacks.
At their core, these attacks target software dependencies—third-party libraries that developers rely on to build applications faster. Attackers compromise these libraries, injecting malicious code that spreads across thousands of systems instantly.
One of the most common tactics is typosquatting, where threat actors publish malicious packages with names nearly identical to legitimate ones. Recently, Loginsoft security researchers have observed a surge in malicious libraries designed to steal data, execute harmful payloads, and infiltrate developer environments.
A prime target? ‘requestsʼ, Pythonʼs widely used HTTP library, downloaded over 16 billion times. Its massive adoption makes it a lucrative target for typosquatting attacks.
In this post, weʼll focus on ‘requestsʼ and examine real-world examples uncovered by Loginsoft security researchers, showing how attackers are exploiting popular libraries. Weʼll also discuss key strategies to protect your software supply chain.
What are Supply Chain Attacks in Open-Source Ecosystems?
A supply chain attack in the context of open-source software refers to the act of compromising software dependencies or repositories to introduce malicious code into legitimate projects. Since developers rely on numerous third-party libraries to accelerate software development, attackers exploit this trust by injecting malicious code into widely-used dependencies, allowing them to infiltrate thousands of applications at once.
Common methods of supply chain attacks include:
- Typosquatting – Attackers create malicious packages with names similar to popular libraries (e.g.,
reqeustsinstead ofrequests). - Dependency Confusion – Attackers publish higher version numbers of internal libraries to public repositories, tricking dependency managers into pulling the malicious package instead.
- Hijacking Maintainer Accounts – By gaining access to legitimate package maintainers’ credentials, attackers push malicious updates to widely trusted packages.
- Code Injection in Repositories – Attackers target open-source repositories, injecting backdoors into public projects that get widely adopted.
These attacks can lead to data exfiltration, remote code execution, or full system compromise, impacting not just individual developers but entire organizations using these dependencies.
Taking a look at the most downloaded libraries on PyPI, we note that 'requests' remains the 3rd most downloaded library (source). However, there is a wide scope for attackers to analyze and choose new library names to spread their malicious packages for multiple purposes. As new libraries gain traction, adversaries may shift their tactics, targeting emerging dependencies to maximize their reach.
A Deep Dive into the Case Study of ‘Requests
A search for the 'requests' library on PyPI reveals over 10,000 related projects, many of which offer additional features for enhanced functionality. However, a significant number of these packages are malicious, created with deceptive intent. Attackers exploit the widespread popularity of 'requests' by publishing fraudulent packages that appear legitimate. These adversaries also take advantage of common typo errors made during coding or searching within open-source ecosystems, further increasing the risk of accidental installation.
Malicious Impersonations of the 'Requests' Library
The following names are a few examples of real malicious packages that have been published in the past:
Each of these packages mimics requests while embedding malicious functionalities, ranging from data exfiltration to remote code execution (RCE).
MITRE ATT&CK Technique IDs (TTPs) associated with each malicious behavior
These TTPs demonstrate the various attack strategies used in software supply chain attacks, ranging from data exfiltration and malware execution to credential theft and dependency manipulation.
Best Practices for Securing the Software Supply Chain
Itʼs not just about security practices—itʼs about embracing a security mindset. As attackers increasingly target open-source ecosystems, developers must proactively assess risks and think defensively. Here are key questions to help build a stronger security posture:
How can I verify that the dependencies I install are safe?
→ Always check package signatures, hashes, and official repositories.
How do I distinguish between legitimate and typosquatted packages?
→ Verify package names, maintainers, version history, and official sources.
What red flags indicate that an open-source library has been compromised?
→ Unexpected updates, new unverified maintainers, and suspicious code changes.
What security measures should teams adopt to minimize supply chain risks?
→ Implement strict dependency policies, review third-party code, and use SBOMs.
Are automated dependency scanners enough, or do we need additional layers of defense?
→ Scanners help, but manual review, monitoring, and runtime security are essential.
By fostering a security-first mindset, developers can strengthen their defenses, mitigate supply chain threats, and contribute to a safer open-source ecosystem.
At Loginsoft, we provide advanced Dependency Defense solutions to help organizations and developers analyze and secure their software supply chains. Learn more about how we can help mitigate open-source risks at Loginsoft Research-as-a-Service.
Conclusion
The widespread adoption of requests makes it an attractive target for typosquatting attacks on PyPI. Malicious actors continue to exploit developer trust and human error to distribute harmful dependencies. As new libraries gain popularity, attackers will continue to adapt, targeting emerging dependencies in search of new opportunities for exploitation.
As the open-source ecosystem grows, so do the risks. Developers must stay vigilant, implement robust security controls, and foster a culture of security awareness to safeguard against the silent threat of software supply chain attacks.
Resources:
- VirusTotal Analysis of Malicious URL
- VirusTotal Analysis of Main.exe
- Loginsoft Research-as-a-Service - Dependency Defense
Loginsoft Research Team
- Dhanesh Dodia - Sr. Security Researcher, Loginsoft
- Sambarathi Sai - Security Researcher, Loginsoft
- Dwijay Chintakunta -Security Researcher, Loginsoft
About Loginsoft
For over 20 years, leading companies in Telecom, Cybersecurity, Healthcare, Banking, New Media, and more have come to rely on Loginsoft as a trusted resource for technology talent. From startups, to product and enterprises rely on our services. Whether Onsite, Offsite, or Offshore, we deliver. With a track record of successful partnerships with leading technology companies globally, and specifically in the past 6 years with Cybersecurity product companies, Loginsoft offers a comprehensive range of security offerings, including Software Supply Chain, Vulnerability Management, Threat Intelligence, Cloud Security, Cybersecurity Platform Integrations, creating content packs for Cloud SIEM, Logs onboarding and more. Our commitment to innovation and expertise has positioned us as a trusted player in the cybersecurity space. Loginsoft continues to provide traditional IT services which include Software development & Support, QA automation, Data Science & AI, etc.
Expertise in Integrations with Threat Intelligence and Security Products: Built more than 250+ integrations with leading TIP, SIEM, SOAR, and Ticketing Platforms such as Cortex XSOAR, Anomali, ThreatQ, Splunk, IBM QRadar & Resilient, Microsoft Azure Sentinel, ServiceNow, Swimlane, Siemplify, MISP, Maltego, Cryptocurrency Digital Exchange Platforms, CISCO, Datadog, Symantec, Carbonblack, F5, Fortinet, and so on. Loginsoft is a partner with industry leading technology vendors Palo Alto, Splunk, Elastic, IBM Security, etc.
In addition, Loginsoft offers Research as a service: We're more than just experts in cybersecurity; we're your accredited in-house research team focused on unraveling the complexities of cybersecurity and future technologies. From Application Security to Threat Research, our seasoned professionals have cultivated expertise in every facet of the field. We've earned the trust of over 20 security platform companies, who count on our research and analysis to strengthen their cybersecurity solutions.
Interested to learn more? Let’s start a conversation.
