The code found in the malicious packages closely resembled legit offerings:
More than 400 malicious packages were recently uploaded to PyPI (Python Package Index), the official code repository for the Python programming language, in the latest indication that the targeting of software developers using this form of attack isn't a passing fad.
All 451 packages found recently by security firm Phylum contained almost identical malicious payloads and were uploaded in bursts that came in quick succession. Once installed, the packages create a malicious JavaScript extension that loads each time a browser is opened on the infected device, a trick that gives the malware persistence over reboots.
The JavaScript monitors the infected developer's clipboard for any cryptocurrency addresses that may be copied to it. When an address is found, the malware replaces it with an address belonging to the attacker. The objective: intercept payments the developer intended to make to a different party.
Besides vastly increasing the number of malicious packages uploaded, the latest campaign also uses a significantly different way to cover its tracks. Whereas the packages disclosed in November used encoding to conceal the behavior of the JavaScript, the new packages write function and variable identifiers in what appear to be random 16-bit combinations of Chinese language ideographs [...]
[...] The names of all 451 malicious packages the Phylum researchers found are included in the blog post. It's not a bad idea for anyone who intended to download one of the legitimate packages targeted to double-check that they didn't inadvertently obtain a malicious doppelganger.
(Score: 2) by PiMuNu on Friday February 24, @08:35AM (4 children)
Just a query, is PyPI too vulnerable to use. For example, it is recommended by proper packages like numpy and so forth; but as it stands, it is vulnerable to bad actors like typo squatters etc. I sometimes type "easy_install numpy", what happens if I mistype?
Is PyPI too vulnerable?
(Score: 4, Insightful) by janrinok on Friday February 24, @08:57AM
IMO, not yet. The vast majority of the fake packages are exploiting similar names to the real packages - but they are detectable with care. Check from the main site of the project for the correct release version and date and make sure that is what you are downloading.
(Score: 4, Touché) by Rosco P. Coltrane on Friday February 24, @01:29PM (2 children)
Don't mistype?
Whatever happened to being careful when installing shit?
(Score: 3, Funny) by Freeman on Friday February 24, @04:48PM
Wait, I wasn't supposed to just click the first download link on the sidebar when I did a google search?
Joshua 1:9 "Be strong and of a good courage; be not afraid, neither be thou dismayed: for the Lord thy God is with thee"
(Score: 2) by PiMuNu on Saturday February 25, @11:23AM
> Whatever happened to being careful when installing shit?
Right. Note to self. Don't make a typo. Make sure anyone else using the same box doesn't makes a typo. kthx
(Score: 3, Insightful) by Snospar on Friday February 24, @01:46PM (4 children)
It's obvious that this abuse of PyPI is only going to get worse. Surely there is some way packages could be reviewed prior to being published for download by others? I realise this will involve effort but it can't be that onerous. Think about the number of different Linux distributions out there all of which review every package, and sign it cryptographically to ensure trust, before they can be installed. Isn't something similar here or is the number of developers and lack of control simply too big a task to manage?
(Score: 3, Funny) by Rosco P. Coltrane on Friday February 24, @02:00PM (1 child)
I have a better idea: the Python interpreter should be distributed with ALL modules in the PyPI repo. That way, it's one easy download and you have everything you need rightaway without risking installing the wrong thing later on.
Better: import them all by default. That way, you also do away with those pesky import directives.
(Score: 3, Funny) by Freeman on Friday February 24, @02:28PM
Largest ever binary of "Hello World!" incoming.
Joshua 1:9 "Be strong and of a good courage; be not afraid, neither be thou dismayed: for the Lord thy God is with thee"
(Score: 3, Interesting) by GloomMower on Friday February 24, @04:03PM
I think there are companies trying to offer this as a paid service.
I feel like this could be a good opportunity for something like web of trust of keys. And you can sign other packages keys.
So like numpy signs their package. And they signed the keys of the packages they use.
Then before install numpy you import their key and allow install web under numpy web of trust.
I'm sure there is still some flaw here, but could block typo squaters perhaps?
(Score: 2) by Snospar on Sunday February 26, @01:18AM
Isn't something similar possible here
FFS I should have spotted that on the Preview