SoylentNews is people
SoylentNews
Submitted via IRC for SoyCow5743
The Slovak National Security Office (NBU) has identified ten malicious Python libraries uploaded on PyPI — Python Package Index — the official third-party software repository for the Python programming language.
NBU experts say attackers used a technique known as typo-squatting to upload Python libraries with names similar to legitimate packages — e.g.: "urlib" instead of "urllib."
The PyPI repository does not perform any types of security checks or audits when developers upload new libraries to its index, so attackers had no difficulty in uploading the modules online.
Developers who mistyped the package name loaded the malicious libraries in their software's setup scripts.
"These packages contain the exact same code as their upstream package thus their functionality is the same, but the installation script, setup.py, is modified to include a malicious (but relatively benign) code," NBU explained.
[...] Indicators of compromise are available in the NBU security alert.
[...] On a side note, and unrelated to the attack vector, NBU also advises Python developers to avoid using "pip" — a Python package installer — when downloading Python libraries, as pip does not support cryptographic signatures.
(Score: 2) by Grishnakh on Monday September 18 2017, @04:34PM (4 children)
policing this stuff is a thankless job
Perhaps, but you don't see this shit happening with Debian, and you do see a very serious commitment there to making sure every package has a proper maintainer and is verified to not be some kind of garbage.
I think the blame should fall on the individual authors who included the wrong package.
It should also fall on the entire culture Python has for having a repository loaded with garbage with no policing at all, and authors including dependency packages for everything imaginable, even if it's some ultra-simple thing that could be done in a few lines of code. As I said before, you don't see this shit with Debian.
(Score: 2) by JNCF on Monday September 18 2017, @05:03PM
Debian is targeting a certain crowd a users, and I don't fault them for that. I don't think every distro should vet their packages by hand, though; a decentralised, uncensorable repository sounds lovely. Our disagreement is ideological.
(Score: 0) by Anonymous Coward on Monday September 18 2017, @05:04PM
this is what happens when you are lousey with mac using hipsters. they were too busy twisting their handlebar mustaches to care about security.
(Score: 4, Informative) by LoRdTAW on Monday September 18 2017, @07:21PM (1 child)
Yet somehow pulseaudio AND systemd somehow made their way into the codebase. (ducks)
(Score: 2) by pvanhoof on Monday September 18 2017, @08:40PM
Well, pulseaudio and systemd's package maintainers at least provide security updates for the malware their upstreams created and get discovered. The package maintainer of bzip in pip will probably not respond with a security update of the package now that malicious code has been discovered. So it has to be removed. Hmm. I guess that would make systemd and pulseaudio haters more happy? Fine then, maintain your local distro with pip instead of apt-get.