3

A new crop of malicious modules found on PyPI

 1 year ago
source link: https://lwn.net/Articles/913555/
Go to the source link to view the article. You can view the picture content, updated content and better typesetting reading experience. If the link is broken, please click the button below to view the snapshot at that time.

A new crop of malicious modules found on PyPI

[Posted November 2, 2022 by corbet]
Phylum has posted an article with a detailed look at a set of malicious packages discovered by an automated system they have developed.
Similar to this attacker’s previous attempts, this particular attack starts by copying existing popular libraries and simply injecting a malicious __import__ statement into an otherwise healthy codebase. The benefit this attacker gained from copying an existing legitimate package, is that because the PyPI landing page for the package is generated from the setup.py and the README.md, they immediately have a real looking landing page with mostly working links and the whole bit. Unless thoroughly inspected, a brief glance might lead one to believe this is also a legitimate package.
(Log in to post comments)

A new crop of malicious modules found on PyPI

Posted Nov 2, 2022 19:37 UTC (Wed) by domdfcoding (guest, #159754) [Link]

Presumably the description source (markdown etc.) is *identical* to that of the original package, rather than just producing visually identical HTML? If that's the case it would be trivial to scan newly created projects and compare their description to known good packages - anything that matches is flagged as malicious.

A new crop of malicious modules found on PyPI

Posted Nov 2, 2022 20:03 UTC (Wed) by phlogistonjohn (subscriber, #81085) [Link]

The article notes that the malicious package author, "made a few slight modifications in an effort to make the text consistent with the phony package name it was published under." So some changes were made. Having description text very similar to other packages could probably be part of some malicious package scoring system. Maybe that's part of the toolset that these Phylum folks are building?

A new crop of malicious modules found on PyPI

Posted Nov 3, 2022 6:53 UTC (Thu) by LtWorf (subscriber, #124958) [Link]

> Having description text very similar to other packages could probably be part of some malicious package scoring system.

Then you flag the 500 modules that all do colours for terminal and the 5000 who wrap python's http library to provide a different API (numbers made up).

A new crop of malicious modules found on PyPI

Posted Nov 2, 2022 22:18 UTC (Wed) by mss (subscriber, #138799) [Link]

Here we go again.

Another lesson why installed packages should only come from the official distro repository rather than from some uncurated language-specific kitchen sink.

And languages themselves should stop encouraging workflows that include downloading random executable code from the Internet.

A new crop of malicious modules found on PyPI

Posted Nov 3, 2022 5:07 UTC (Thu) by irvingleonard (guest, #156786) [Link]

Just forget about portability and deal with all the different versions and package names in different distro versions. Why? Not to mention: what would be the solution for macOS, or Windows?

report

Recommend

About Joyk


Aggregate valuable and interesting links.
Joyk means Joy of geeK