Hello, welcome to the Wednesday, August 24, 2020 edition of the Sands Internet Storm Center's Stormcast.

My name is Johannes Ulrich, and today I'm recording again from Jacksonville, Florida, with the remainder of a late evening thunderstorm in the background.

Xavier today took a look at who is accessing the security.tXT file.

This file has been around for a couple years,

but became sort of more official in April

when RFC 91116 was finalized to promote it.

The idea of the file is to communicate security contact information

for a website. You may list email addresses, PGP keys or bug bounties that your site is participating

in. Of course, bug bounty hunters are one of the primary audiences for this type of file.

Xavier did see a good number of hits to his security.txt file,

and somewhat expected with the increasing popularity of this file,

the number of hits has been increasing this year. But another motivation may be

spam bots harvesting email addresses. So far, most of the hits appear to be automated.

Not too much spam to that address, according to Xavier. Of course, it's also possible that

bug bounty hunters are deploying scripts to collect sites

with worthwhile bug bounties.

I often talk about malicious Python packages, and recently I stated that I'll actually

not mention them as much anymore because, well, pretty much every day, at least once a week.

We have sort of a new news article where someone found some new malicious packages.

One question that often comes up is, well, is there some automatic way to detect them?

And sure, some of the reports that I'm referring to they come from commercial providers of

source code scanning tools but two researchers John Speed Myers and Zacharia Newman took a look at

...