performing-supply-chain-attack-simulation

Compare original and translation side by side

🇺🇸

Original

English

🇨🇳

Translation

Chinese

Performing Supply Chain Attack Simulation

执行供应链攻击模拟

Overview

概述

Software supply chain attacks exploit trust in package registries through typosquatting (registering names similar to popular packages), dependency confusion (publishing higher-version public packages matching private names), and compromised package distribution. This skill detects these attack vectors by computing Levenshtein distance between package names and popular PyPI packages, verifying package integrity via SHA-256 hash comparison, scanning for known CVEs with pip-audit, and testing dependency resolution order for confusion vulnerabilities.

软件供应链攻击通过仿冒包（注册与热门包名称相似的包）、依赖混淆（发布与私有包名称匹配的更高版本公共包）以及被篡改的包分发方式，利用对包注册表的信任。本技能通过计算包名称与热门PyPI包之间的Levenshtein距离、通过SHA-256哈希对比验证包完整性、使用pip-audit扫描已知CVE，以及测试依赖解析顺序以检测混淆漏洞，来识别这些攻击向量。

When to Use

适用场景

When conducting security assessments that involve performing supply chain attack simulation
When following incident response procedures for related security events
When performing scheduled security testing or auditing activities
When validating security controls through hands-on testing

当涉及执行供应链攻击模拟的安全评估时
当遵循相关安全事件的应急响应流程时
当执行定期安全测试或审计活动时
当通过实操测试验证安全控制措施时

Prerequisites

前置条件

Python 3.9+ with
```
pip-audit
```
,
```
Levenshtein
```
,
```
requests
```
Access to PyPI JSON API (https://pypi.org/pypi/{package}/json)
Network access for package metadata retrieval

Legal Notice: This skill is for authorized security testing and educational purposes only. Unauthorized use against systems you do not own or have written permission to test is illegal and may violate computer fraud laws.

安装有
```
pip-audit
```
、
```
Levenshtein
```
、
```
requests
```
的Python 3.9+环境
可访问PyPI JSON API（https://pypi.org/pypi/{package}/json）
具备用于检索包元数据的网络访问权限

法律声明： 本技能仅用于授权的安全测试和教育目的。未经授权对非自有或未获得书面测试许可的系统使用本技能属于违法行为，可能违反计算机欺诈相关法律。

Key Detection Areas

核心检测领域

Typosquatting — compare package names against top PyPI packages using edit distance thresholds
Dependency confusion — check if internal package names exist on public PyPI with higher version numbers
Hash verification — download packages and verify SHA-256 digests match published hashes
Vulnerability scanning — audit installed packages against OSV and PyPA advisory databases
Metadata anomalies — flag packages with suspicious author emails, missing homepages, or very recent first upload dates

仿冒包（Typosquatting） —— 基于编辑距离阈值，将包名称与热门PyPI包进行对比
依赖混淆 —— 检查内部包名称是否在公共PyPI上存在更高版本
哈希验证 —— 下载包并验证SHA-256摘要是否与发布的哈希值匹配
漏洞扫描 —— 针对OSV和PyPA咨询数据库审计已安装的包
元数据异常 —— 标记带有可疑作者邮箱、缺失主页或首次上传日期极近的包

Output

输出

JSON report with risk scores per package, detected attack vectors, hash verification results, and CVE findings.

包含每个包的风险评分、检测到的攻击向量、哈希验证结果以及CVE发现的JSON报告。