A new crop of malicious modules found on PyPI
source link: https://lwn.net/Articles/913555/
Go to the source link to view the article. You can view the picture content, updated content and better typesetting reading experience. If the link is broken, please click the button below to view the snapshot at that time.
A new crop of malicious modules found on PyPI
Similar to this attacker’s previous attempts, this particular attack starts by copying existing popular libraries and simply injecting a malicious __import__ statement into an otherwise healthy codebase. The benefit this attacker gained from copying an existing legitimate package, is that because the PyPI landing page for the package is generated from the setup.py and the README.md, they immediately have a real looking landing page with mostly working links and the whole bit. Unless thoroughly inspected, a brief glance might lead one to believe this is also a legitimate package.
(Log in to post comments)
A new crop of malicious modules found on PyPI
Posted Nov 2, 2022 19:37 UTC (Wed) by domdfcoding (guest, #159754) [Link]
A new crop of malicious modules found on PyPI
Posted Nov 2, 2022 20:03 UTC (Wed) by phlogistonjohn (subscriber, #81085) [Link]
A new crop of malicious modules found on PyPI
Posted Nov 3, 2022 6:53 UTC (Thu) by LtWorf (subscriber, #124958) [Link]
Then you flag the 500 modules that all do colours for terminal and the 5000 who wrap python's http library to provide a different API (numbers made up).
A new crop of malicious modules found on PyPI
Posted Nov 2, 2022 22:18 UTC (Wed) by mss (subscriber, #138799) [Link]
Here we go again.
Another lesson why installed packages should only come from the official distro repository rather than from some uncurated language-specific kitchen sink.
And languages themselves should stop encouraging workflows that include downloading random executable code from the Internet.
A new crop of malicious modules found on PyPI
Posted Nov 3, 2022 5:07 UTC (Thu) by irvingleonard (guest, #156786) [Link]
Recommend
About Joyk
Aggregate valuable and interesting links.
Joyk means Joy of geeK