Stories
Slash Boxes
Comments

SoylentNews is people

Ten Malicious Libraries Found on PyPI - Python Package Index

posted by Fnord666 on Monday September 18 2017, @01:41PM   Printer-friendly
from the dirty-libraries dept.

MrPlow writes:

Submitted via IRC for SoyCow5743

The Slovak National Security Office (NBU) has identified ten malicious Python libraries uploaded on PyPI — Python Package Index — the official third-party software repository for the Python programming language.

NBU experts say attackers used a technique known as typo-squatting to upload Python libraries with names similar to legitimate packages — e.g.: "urlib" instead of "urllib."

The PyPI repository does not perform any types of security checks or audits when developers upload new libraries to its index, so attackers had no difficulty in uploading the modules online.

Developers who mistyped the package name loaded the malicious libraries in their software's setup scripts.

"These packages contain the exact same code as their upstream package thus their functionality is the same, but the installation script, setup.py, is modified to include a malicious (but relatively benign) code," NBU explained.

[...] Indicators of compromise are available in the NBU security alert.

[...] On a side note, and unrelated to the attack vector, NBU also advises Python developers to avoid using "pip" — a Python package installer — when downloading Python libraries, as pip does not support cryptographic signatures.

Source: https://www.bleepingcomputer.com/news/security/ten-malicious-libraries-found-on-pypi-python-package-index/

Original Submission

 
This discussion has been archived. No new comments can be posted.
Ten Malicious Libraries Found on PyPI - Python Package Index | Log In/Create an Account | Top | 21 comments | Search Discussion
Display Options Threshold/Breakthrough Mark All as Read Mark All as Unread
The Fine Print: The following comments are owned by whoever posted them. We are not responsible for them in any way.

  • (Score: 3, Insightful) by Grishnakh on Monday September 18 2017, @02:20PM (3 children)

    by Grishnakh (2831) on Monday September 18 2017, @02:20PM (#569748)

    NBU experts say attackers used a technique known as typo-squatting to upload Python libraries with names similar to legitimate packages — e.g.: "urlib" instead of "urllib."

    It seems to me that many things like this, and especially instances where someone takes advantage of cases where letters and numbers look nearly identical (1 vs. l, 0 vs. O) could have been avoided if we, as a society, had never abandoned serifed fonts.

    Starting Score:    1  point
    Moderation   +1  
       Insightful=1, Total=1
    Extra 'Insightful' Modifier   0  
    Karma-Bonus Modifier   +1  
    Total Score:   3  

  • (Score: 0) by Anonymous Coward on Monday September 18 2017, @07:21PM

    by Anonymous Coward on Monday September 18 2017, @07:21PM (#569866)

    Meh, I've seen serifed 1's and l's often look similar.

  • (Score: 2) by FakeBeldin on Wednesday September 20 2017, @12:36PM (1 child)

    by FakeBeldin (3360) on Wednesday September 20 2017, @12:36PM (#570596) Journal

    The impersonating libraries, with the originals (bold highlights the differences):

    – acqusition (uploaded 2017-06-03 01:58:01, impersonates acquisition)
    – apidev-coop (uploaded 2017-06-03 05:16:08, impersonates apidev-coop_cms)
    – bzip (uploaded 2017-06-04 07:08:05, impersonates bz2file)
    – crypt (uploaded 2017-06-03 08:03:14, impersonates crypto)
    – django-server (uploaded 2017-06-02 08:22:23, impersonates django-server-guardian-api)
    – pwd (uploaded 2017-06-02 13:12:33, impersonates pwdhash)
    – setup-tools (uploaded 2017-06-02 08:54:44, impersonates setuptools)
    – telnet (uploaded 2017-06-02 15:35:05, impersonates telnetsrvlib)
    – urlib3 (uploaded 2017-06-02 07:09:29, impersonates urllib3)
    – urllib (uploaded 2017-06-02 07:03:37, impersonates urllib3)

    A different font would not have helped at all against this attack or any attack like this attack. This is not a case of mistaking characters for other characters, this was more of a phishing attack.

    • (Score: 2) by Grishnakh on Wednesday September 20 2017, @02:40PM

      by Grishnakh (2831) on Wednesday September 20 2017, @02:40PM (#570620)

      I disagree on a couple of them: acqusition, and urlib3. With these sans-serif fonts where the l and i characters are so thin that you can barely see them (esp. when they're doubled, or not, as in the case of urlib3 (vs. urllib3)), it's easy to not notice the discrepancy if you're not looking for it. Even back in the good-ol' days of non-proportional terminal fonts, these things would be a lot easier to spot because each letter takes up the same amount of horizontal space (in fact, this might be an argument for non-proportional fonts rather than merely serifed ones).