Malicious code has been found on the Python Package Index (PyPI), the most popular location for sharing Python packages. This was reported by Slovak National Security Office which was then picked up by Bleeping Computer among other places (i.e. Reddit). The attack vector used typosquatting, which is basically someone uploading a package with a misspelled name of a popular package, for example lmxl instead of lxml.
You can see the original report from Slovak National Security Office here: http://www.nbu.gov.sk/skcsirt-sa-20170909-pypi/
I saw this vector talked about last August in this blog post which a lot of people seemed to think little of. It’s interesting that now people are getting a lot more excited about the issue.
This also reminded me of the controversy over a startup called Kite which basically inserted adware / spyware into plugins, such as Atom, autocomplete-python, etc.
Packaging in Python needs some help. I like how much better it is now then it was 10 years ago, but there are still a lot of issues.
I’m not an expert, but some guys pointed me to pipenv pipenv* that could mitigate this with Pipfiles and sha256 hashes.
* http://docs.pipenv.org/en/latest/advanced.html#pipfile-lock-security-features
I’m not an expert in this area either, although I would think some kind of code signing would help.
Pingback: More typo-squatting Malware Found on PyPI | The Mouse Vs. The Python
Pingback: New Malicious Python Libraries Found Targeting Linux - The Mouse Vs. The Python
Pingback: Python Packaging Index Removes 3,653 Malicious Libraries - Mouse Vs Python