SoylentNews is people
SoylentNews
Submitted via IRC for SoyCow5743
The Slovak National Security Office (NBU) has identified ten malicious Python libraries uploaded on PyPI — Python Package Index — the official third-party software repository for the Python programming language.
NBU experts say attackers used a technique known as typo-squatting to upload Python libraries with names similar to legitimate packages — e.g.: "urlib" instead of "urllib."
The PyPI repository does not perform any types of security checks or audits when developers upload new libraries to its index, so attackers had no difficulty in uploading the modules online.
Developers who mistyped the package name loaded the malicious libraries in their software's setup scripts.
"These packages contain the exact same code as their upstream package thus their functionality is the same, but the installation script, setup.py, is modified to include a malicious (but relatively benign) code," NBU explained.
[...] Indicators of compromise are available in the NBU security alert.
[...] On a side note, and unrelated to the attack vector, NBU also advises Python developers to avoid using "pip" — a Python package installer — when downloading Python libraries, as pip does not support cryptographic signatures.
(Score: 2) by pvanhoof on Monday September 18 2017, @07:47PM
I suppose Ubuntu's Launchpad is for you, then. It allows individual software developers to easily provide you with a repository upon which their packages and made available. You can add their launchpad to your list of trusted repositories. I guess a system that publishes popularity of such repositories could serve as a somewhat automated way of providing trust.
ie. A Launchpad that contains a pip package called bzip containing malicious code would after this news-item have lost almost all of its trust. You could then quite easily let your scripts or other tools threshold at a certain level of community-assigned trust. Or you could use another source of trust when multiple such sources are made available.
A single repository with no human review whatsoever, however, deserves equal amounts of trust: zero. If that's what pip is, then pip cannot be used. Plus pip apparently has no cryptographic verification either. That sucks for networks that can be MiTM'ed. So that sucks for the vast majority of networks.