PyPI is a repository of open-source packages that software developers use to pick the building blocks of their Python-based projects or share their work with the community.
While PyPI is usually quick to respond to reports of malicious packages on the platform, there's no real vetting before submission, so dangerous packages may lurk there for a while.
Software supply-chain security companies like Sonatype use specialized automated malware detection tools to spot them, and in this case, they identified the following packages as malicious:
- loglib-modules
- pyg-modules
- pygrata
- pygrata-utils
- hkg-sol-utils
While the first two packages attempt to mimic legitimate and popular projects on PyPI to trick careless or inexperienced users to install them and the other three don't have apparent targeting, all five feature code similarities or connections.
[...] Since these malicious packages aren't using typosquatting tricks, they're not randomly targeting developers who mistyped a character but users looking for specific tools for their projects.
Software developers are advised to go beyond package names and scrutinize release histories, upload dates, homepage links, package descriptions, and download numbers, all collectively helping determine if a Python package is the real deal or a dangerous fake.
(Score: 1, Funny) by Anonymous Coward on Monday June 27 2022, @09:58AM
It gave the world AOL, IE, 4chan, and more so much more. Surely I can trust reputable package repositories?
(Score: 5, Interesting) by Anonymous Coward on Monday June 27 2022, @10:04AM
I see the extensive list of js websites load and can't stop thinking about what exactly all that code does. Why is it needed on the page where you login to your bank account? Page hit counting? Surely not.
How would you even know what it does considering how compression obfuscates the source.
Maybe AI will come to our rescue? Could a plugin grab the page, render it in a container, and determine if it has unacceptable functionality? Who watches the watchers? Can we trust anyone anymore?
(Score: 1, Touché) by Anonymous Coward on Monday June 27 2022, @05:48PM (3 children)
"stolen" aws keys? if you're using aws fuck you. how bout that?
(Score: 0) by Anonymous Coward on Monday June 27 2022, @07:39PM (2 children)
AWS is Amazon, not Microsoft.
(Score: 3, Touché) by captain normal on Monday June 27 2022, @08:49PM (1 child)
Is there a difference?
When life isn't going right, go left.
(Score: 0) by Anonymous Coward on Tuesday June 28 2022, @03:25AM
Not really.. except.. if MS goes down Windows keeps running. Should AWS fail then half the internet goes down with it.
(Score: 1, Insightful) by Anonymous Coward on Monday June 27 2022, @07:42PM
This is what happens when you don't curate your repositories. These new free-for-all systems (pypi, cargo, etc) are all vulnerable to these attacks.
(Score: 0) by Anonymous Coward on Tuesday June 28 2022, @01:31AM (2 children)
News at 11.
Nevertheless, even if you don't go install random libs for random use cases, I've seen countless times poeople just look for software they know on search engines and never double-check the package coordinates. That's a prime target for malware mimicking non-malware using similar package names or names that look "legit".
Don't Google the artifact coordinates. Don't blindly copy-paste results from mvnrepository.com or whatever other search engine is used by other package repositories.
Find the projects' official Web site. Verify it. Their documentation should mention where the packages can be obtained from repositories they officially publish on. They don't? Look at their code repository and/or build system to locate the coordinates and double-check them.
This applies to PyPy, Maven Central, NPM and whatnot: installing things out of repositories out of corrdinates you haven't validated, even if it's a project you know and trust, is as safe as randomly installing software from the first page you land on after you press "I feel lucky".
Stay safe, even with software you know and trust! Won't save you from malicious packages, but may save you from installing an impersonator!
(Score: 0) by Anonymous Coward on Tuesday June 28 2022, @03:06AM (1 child)
It's like the 1990s with Windows .exe downloads all over again.
Those who do not learn from the past...
(Score: 0) by Anonymous Coward on Tuesday June 28 2022, @03:11AM
Next up: Anti-virus for NPM / phlib / CPAN ... for the low low price of $2.99 per month! Contact us at Mcacfee for a quote today!