Stories
Slash Boxes
Comments

SoylentNews is people

posted by Fnord666 on Monday September 18 2017, @01:41PM   Printer-friendly
from the dirty-libraries dept.

Submitted via IRC for SoyCow5743

The Slovak National Security Office (NBU) has identified ten malicious Python libraries uploaded on PyPI — Python Package Index — the official third-party software repository for the Python programming language.

NBU experts say attackers used a technique known as typo-squatting to upload Python libraries with names similar to legitimate packages — e.g.: "urlib" instead of "urllib."

The PyPI repository does not perform any types of security checks or audits when developers upload new libraries to its index, so attackers had no difficulty in uploading the modules online.

Developers who mistyped the package name loaded the malicious libraries in their software's setup scripts.

"These packages contain the exact same code as their upstream package thus their functionality is the same, but the installation script, setup.py, is modified to include a malicious (but relatively benign) code," NBU explained.

[...] Indicators of compromise are available in the NBU security alert.

[...] On a side note, and unrelated to the attack vector, NBU also advises Python developers to avoid using "pip" — a Python package installer — when downloading Python libraries, as pip does not support cryptographic signatures.

Source: https://www.bleepingcomputer.com/news/security/ten-malicious-libraries-found-on-pypi-python-package-index/


Original Submission

 
This discussion has been archived. No new comments can be posted.
Display Options Threshold/Breakthrough Mark All as Read Mark All as Unread
The Fine Print: The following comments are owned by whoever posted them. We are not responsible for them in any way.
  • (Score: 1) by terrab0t on Monday September 18 2017, @04:35PM (1 child)

    by terrab0t (4674) on Monday September 18 2017, @04:35PM (#569796)

    The same thing recently happened to Node Package Manager (NPM) [scmagazine.com]. They were looking at automated ways of detecting these kinds of similarly named packages.

    I think they have the same problem as PyPl. No one has time to manually audit each package submission.

  • (Score: -1, Redundant) by Anonymous Coward on Monday September 18 2017, @05:37PM

    by Anonymous Coward on Monday September 18 2017, @05:37PM (#569819)

    whitelist