Ten Malicious Libraries Found on PyPI - Python Package Index

LASER_oneXM

LASER_oneXM

Level 37
Thread author
Verified
Top Poster
Well-known
Feb 4, 2016
2,520
The Slovak National Security Office (NBU) has identified ten malicious Python libraries uploaded on PyPI — Python Package Index — the official third-party software repository for the Python programming language.

NBU experts say attackers used a technique known as typosquatting to upload Python libraries with names similar to legitimate packages — e.g.: "urlib" instead of "urllib."

The PyPI repository does not perform any types of security checks or audits when developers upload new libraries to its index, so attackers had no difficulty in uploading the modules online.

Developers who mistyped the package name loaded the malicious libraries in their software's setup scripts.

Libraries included malicious but benign code
"These packages contain the exact same code as their upstream package thus their functionality is the same, but the installation script, setup.py, is modified to include a malicious (but relatively benign) code," NBU explained.

Experts say the malicious code only collected information on infected hosts, such as name and version of the fake package, the username of the user who installed the package, and the user's computer hostname.

Collected data, which looked like "Y:urllib-1.21.1 admin testmachine", was uploaded to a Chinese IP address at "121.42.217.44:8080".

Packages removed last week
NBU officials contacted PyPI administrators last week who removed the packages before officials published a security advisory on Saturday. The following packages were found to contain the malicious code:

acqusition (uploaded 2017-06-03 01:58:01, impersonates acquisition)
apidev-coop (uploaded 2017-06-03 05:16:08, impersonates apidev-coop_cms)
bzip (uploaded 2017-06-04 07:08:05, impersonates bz2file)
crypt (uploaded 2017-06-03 08:03:14, impersonates crypto)
django-server (uploaded 2017-06-02 08:22:23, impersonates django-server-guardian-api)
pwd (uploaded 2017-06-02 13:12:33, impersonates pwdhash)
setup-tools (uploaded 2017-06-02 08:54:44, impersonates setuptools)
telnet (uploaded 2017-06-02 15:35:05, impersonates telnetsrvlib)
urlib3 (uploaded 2017-06-02 07:09:29, impersonates urllib3)
urllib (uploaded 2017-06-02 07:03:37, impersonates urllib3)
The malicious code was intended for use with Python 2.x, and it generated errors when used in Python 3.x applications. This is how users discovered its presence while debugging their apps.
Click to expand...
 
  • Like
Reactions: Venustus, Parsh, Captain Awesome and 1 other person
You must log in or register to reply here.

Similar threads

[correlate]
    • Like
North Korean hackers behind malicious VMConnect PyPI campaign
Replies
0
Views
1,246
News Archive
[correlate]
[correlate]
vtqhtr413
    • +Reputation
    • Like
Fake VMware vConnector package on PyPI targets IT pros
Replies
2
Views
1,730
News Archive
[correlate]
[correlate]
upnorth
    • Wow
    • Like
    • +Reputation
US govt demands data on PyPI developers
Replies
1
Views
1,067
News Archive
Zero Knowledge
Z

About us

  • MalwareTips is a community-driven platform providing the latest information and resources on malware and cyber threats. Our team of experienced professionals and passionate volunteers work to keep the internet safe and secure. We provide accurate, up-to-date information and strive to build a strong and supportive community dedicated to cybersecurity.

Quick Navigation

Forum Rules Warning System Welcome Guide Two-factor Authentication

User Menu

Login

Follow us

Follow us on Facebook or Twitter to know first about the latest cybersecurity incidents and malware threats.

Top