Twelve Malicious Python Libraries Found and Removed From PyPI (zdnet.com)

← Back to Stories (view on slashdot.org)

Twelve Malicious Python Libraries Found and Removed From PyPI (zdnet.com)

Posted by EditorDavid on Saturday October 27, 2018 @07:34AM from the perilous-packages dept.

An anonymous reader writes: A software security engineer has identified 12 Python libraries uploaded on the official Python Package Index (PyPI) that contained malicious code. The 12 packages used typo-squatting in the hopes a user would install them by accident or carelessness when doing a "pip install" operation for a mistyped more popular package, like Django (ex: diango).

Eleven libraries would attempt to either collect data about each infected environment, obtain boot persistence, or even open a reverse shell on remote workstations. A twelfth package, named "colourama," was financially-motivated and hijacked an infected users' operating system clipboard, where it would scan every 500ms for a Bitcoin address-like string, which it would replace with the attacker's own Bitcoin address in an attempt to hijack Bitcoin payments/transfers made by an infected user.
54 users downloaded that package -- although all 12 malicious packages have since been taken down.

Four of the packages were misspellings of django -- diango, djago, dajngo, and djanga.

36 comments

Min score:

Reason:

Sort:

Malicios Python? by jfdavis668 · 2018-10-27 07:46 · Score: 1

Which one, Terry Jones?
1. Re: Malicios Python? by Anonymous Coward · 2018-10-27 08:12 · Score: 0
  
  "Data science" is a cancer.
I've always hated Python because... by Jastiv · 2018-10-27 08:12 · Score: 2

I've always hated to deal with python in free software game projects because it moves too fast. I've had so many projects where because of old python, part of the project wouldn't work anymore. Its hard when you have a project with two or three developers on it and then now you have all these old python scripts and now they don't work anymore because your distribution upgrades your python. Alright, I don't even know how old it is, but when when you are dealing with these tiny teams of people, you are just going to have old code. Someday, I will take the python out of my project and replace it with a language I made up that never changes. I am a better person than the Python maintainers and I would never subject my users to the evils of backwards incompatibility.
1. Re:I've always hated Python because... by Anonymous Coward · 2018-10-27 08:24 · Score: 0
  
  Python 2 or 3 or whatever it is now?
  I'm on Mac so I'm stuck with Python 2 because of some reason that has never been explained in a way that makes any sense: it was all just hearsay.
2. Re:I've always hated Python because... by Anonymous Coward · 2018-10-27 08:41 · Score: 2, Insightful
  
  > I've always hated to deal with python in free software game projects because it moves too fast.
  Python 1.0 - January 1994
  Python 2.0 - October 16, 2000
  Python 2.4 - November 30, 2004
  Python 2.6 - October 1, 2008
  Python 3.0 - December 3, 2008
  I think that most likely you started with 2.4 or 2.6.. If we assume that you started with 2.4, in worst case scenario you started coding at 2008, right before 2.6 and 3.0 came out. If you did, in worst case scenario you would end up upgrading first to 2.6 and then to 3.0. within one year. If you started with 3.0 you probably didn't have any problems for 10 years. If you started at 2004, you probably had no problems for 4 years. It is highly likely that you simply had very bad luck with your timing.
3. Re:I've always hated Python because... by DCFusor · 2018-10-27 10:25 · Score: 3, Interesting
  
  Perl 5 - it's been forever since they broke userland - just incremental improvements. No need to worry about rakudo (used to be called perl6) replacing it - it's acknowledged to be a very different language that will never replace 5 for normal production.
  Which I know will get a zillion downvotes, because - with as much flexibility as perl has, some assholes use it to write unreadable code for job security or something. People look at mine and say "oh, how nice you write such clear and obvious code. Is that some better newer C?".
  You can use that rope to shoot yourself in the foot, or pull yourself up. Some people think there shouldn't be more than one way to do it. I like freedom.
  Hint: if you already know python, well, it's more or less a perl copy with crappier namespace and lifetime control, that uses whitespace instead of more civilized {}..and that's about the level of difference. There's even Inline::Python for perl...I use it myself as well as Inline::C. Then there's metacpan...
  
  --
  Why guess when you can know? Measure!
4. Re:I've always hated Python because... by Anonymous Coward · 2018-10-27 10:46 · Score: 1
  
  All the crap they've been writing about perl for the last 15 years... they are now writing about C++.
  Whiners just need to whine. Walking on to a team and finding that the code is downright illegible is like walking into a restaurant and finding you can't determine what the hell is in the salad. Obvious sign you should get up and walk away. Doesn't have anything to do with the language, it has to do with previous people's *use* of the language.
5. Re:I've always hated Python because... by Aighearach · 2018-10-27 10:57 · Score: 1
  
  I've always hated to deal with python in free software game projects because it moves too fast.
  
  And here I was exited for the next popular new framework, diango! I thought I was going to generate websites off of dia graphs.
6. Re:I've always hated Python because... by Venona2018 · 2018-10-27 11:44 · Score: 3, Informative
  
  Python 2 or 3 or whatever it is now?
  I'm on Mac so I'm stuck with Python 2 because of some reason that has never been explained in a way that makes any sense: it was all just hearsay.
  You are not stuck on Python 2.
  
  Python 3 is easily installable on the Mac: Click here.
  3 steps if you already have Xcode installed. One step if you already have homebrew installed.
7. Re:I've always hated Python because... by Baki · 2018-10-28 00:49 · Score: 1
  
  3.7 is not backwards compatible to 3.6, for example. Last week I had to downgrade...
  We're going to move parts of our python code to go.
8. Re: I've always hated Python because... by Anonymous Coward · 2018-10-28 02:16 · Score: 0
  
  That's BS. Python 3.6 programs work with Python 3.7 without issues. Heck they probably also work with Python 2.7 if not for edge cases and then there is usually a library to fix it.
9. Re:I've always hated Python because... by tartley · 2018-10-28 04:36 · Score: 1
  
  You do know that 'go' is moving to a backwards incompatible version 2.0, right? https://blog.golang.org/toward...
10. Re:I've always hated Python because... by DeVilla · 2018-10-28 09:26 · Score: 1
  
  That's not entirely true. I wish it were. Once they got into the higher 5.teen versions, they started adding features in an attempt to keep up with Perl 6, but they've done it kind of badly.
  There's still a fairly safe sub-set of perl that work pretty well every where. But there have been some advanced changes dubbed 'non-experimental' to later be broken and then removed due to sloppiness while trying to stay 'modern'.
11. Re:I've always hated Python because... by Anonymous Coward · 2018-10-28 13:22 · Score: 0
  
  Maybe you should try C# on the .NET Core platform instead? I have ancient C# programs written back in the .NET 2.0 days that still compile build and run as expected on the newest .NET framework versions. Say what you want about Microsoft development tools, but backwards compatibility isn't one of their shortcomings.
12. Re:I've always hated Python because... by DCFusor · 2018-10-29 01:40 · Score: 1
  
  Well, yeah. Of course new/experimental stuff is...new, flaky, experimental. Zero of the changes have broken any of my existing code - but of course, if you are an early adopter of anything, you get cut on the bleeding edge some. I code to around 5.10 to 5.20 (rarely the latter). There's a module called "Modern::Perl that lets you require just the features you want by using a version number or year in the require statement. Use it. Try it in new code and find all the places you messed up and used stuff that you shouldn't have. I haven't found any of that new stuff to be other than syntactic sugar that for me, doesn't help anyway.
  I said perl 5 - the 6 stuff trying to come in...isn't really perl5 and need not be used if you don't want to.
  Everyone doesn't have to be Damian Conway, even though he's fun to watch.
  
  --
  Why guess when you can know? Measure!
13. Re:I've always hated Python because... by hoggoth · 2018-10-29 05:18 · Score: 1
  
  True but misleading. Executables compiled with an older 'go' will continue to execute. This is not true of Python. New Python interpreters can cause old code to break.
  
  --
  - For the complete works of Shakespeare: cat /dev/random (may take some time)
14. Re:I've always hated Python because... by Anonymous Coward · 2018-10-29 09:05 · Score: 0
  
  I'm guessing you've not been programming very long. This happens with all sorts of interpreters, compilers and linkers. Fuck, it wasn't that long ago that gcc wasn't backward compatible with itself in the least. I use Gentoo and it was a considerable chore to upgrade to gcc 5.x and 6.x. Your other issues with Python are also laughable. You do know there are already ways around everything you just described, right? Never mind, you're right, leave Python alone(we surely don't want your nonsense)
15. Re:I've always hated Python because... by DeVilla · 2018-11-01 13:59 · Score: 1
  
  I know there'll be issues with experimental stuff and bugs. I was talking about some bigger issues like this one :
  http://blogs.perl.org/users/le...
  I've been noticing a growing number of ill planned changes in perl5 since (roughly) the 5.18 time frame. In that particular case, I think it's nasty that a use statement doesn't protect against the incompatibility. It would break your suggestion of using the use statement. I don't use Modern::Perl because most of the systems I use don't have it, I don't have root and don't like virtualenv type stuff (not that perl really has a great virtualenv type environment. Brew is a bit heavy weight and fiddling with the PERL%* vars is fiddly.)
  I find targeting core perl 5.10 to be the safe bet for now when I'm at work. At home I'll target want I have.
16. Re:I've always hated Python because... by DCFusor · 2018-11-02 08:18 · Score: 1
  
  I completely agree. I tend to target something around 5.10 myself and not use some of the maybe-nifty newer features issues since I don't use them. I haven't looked but I wonder if the source for Modern:Perl couldn't just be pasted in...especially if you just want to hold the 5.10 features. I don't use REs heavily at all here. I remember writing one that took around 2-3 days to write and was half a line of code - but it solved a crazy hard problem (sorting vacuum tube numbers the same way humans did for data books, and boy is that obscure rules about when - sometimes - number like zero or 0 come first, in this or that context...)
  I commit the sin (depending on who you ask) of using "distro perl" which is in the 5.20 to 22 range now, but I still program more or less according to the camel book
  ~
  I looked into perlbrew and perlenv and like you, decided that was more than I wanted to fool with - after all, the reason I use perl is to save ME time, and I'm writing glue for my own homestead "LAN of things" and data acquisition glue for my fusion reactor experiments. I don't give a damn if it's the hot new thing. If I need to crunch numbers at speed, well, there's inline::whatever (C...). For talking to databases, gnuplot and writing little daemons that do cool things - perl's the way for certain. When I interface some hardware with some odd protocol over serial or network to a pc - that's perl too. If it's too a raspberry pi and there's a python driver - well, that's Inline::Python and get on with it. If it's in a tiny thing like arduino, C. Back when I was forced to write interface programs and drivers for a manuf's hardware for windows, that was MFC mostly, C++ but the parts I wrote were mostly C. But it's been long since and if I'm not getting paid...I don't fool with that stuff.
  Like Ricardo said...I like the culture of "nice" we have....https://www.youtube.com/watch?v=gmmVGPdcItM
  I post a lot of my source code and whatnot up on my website which I think is findable via my nick here. Doubt anyone uses it much, but it's there along with other interesting things. It all seems to run the same on whatever PC Mint flavored distro as it does on Raspian or Armbian (other than speed, of course)...works for me.
  
  --
  Why guess when you can know? Measure!
17. Re:I've always hated Python because... by DCFusor · 2018-11-02 08:20 · Score: 1
  
  And of course, I'm spoiled because I ALWAYS have root here...I'm lucky to live in a world where computers serve me, not the other way around.
  
  --
  Why guess when you can know? Measure!
Yeahhh by Anonymous Coward · 2018-10-27 08:17 · Score: 0

This is why I dont trust other people's code
Lack of compatibility is why I don't like Python by raymorris · 2018-10-27 09:04 · Score: 3, Informative

Same here. Except you don't need "a language I made up", practically any other programming language maintains backward compatibility.
With Python, when it says "requires Python 2.6â, it means EXACTLY 2.6, not "at least 2.6". Python 2.7 won't work because they completely break compatibility even in point releases. I can't think of any other language that does that.
I have stuff written in C, Perl, shell, even Javascript fifteen years ago that still runs just fine. Other languages ADD capabilities instead of randomly redefining basic things every year or two.
Re:Lack of compatibility is why I don't like Pytho by Megol · 2018-10-27 10:21 · Score: 1

Swift
Re:Lack of compatibility is why I don't like Pytho by Aighearach · 2018-10-27 11:00 · Score: 2

All the other languages that I can think of that do it are functional academic languages like Haskell.
Re:Lack of compatibility is why I don't like Pytho by Lothsahn · 2018-10-27 12:10 · Score: 0

What you say is true, but it's even worse than that. Like you said, it means EXACTLY 2.6. Not even 2.6.1 will work, so if a security issue is found and fixed and patched in Python, you have to recompile your software to fix the issue. Along with abysmal performance, it's one of the most annoying things about supporting Python in production.

--
-=Lothsahn=-
This is not something to take lightly by Anonymous Coward · 2018-10-27 12:22 · Score: 1

There are several languages/communities that use unsecured repository systems for managing code projects. For example, Composer with PHP. Maintainers are like "oh we'll find it quick if there's a problem", and they don't do anything with it. These are not set up *anything* like linux distribution repositories, for example Ubuntu and RHEL software packages. Problem is, using code signing makes it difficult for people to add their code to the repositories, in other words "to use it" - security hampers adoption, so it's prioritized like a step-child at Christmas.
And these packages are all semi-blindly pulled as building blocks for software packages. Most of the newer sites/applications built using these repositories are exposed to malfeasance on every single build. Since there's so much weight put on CI/CD today - there are going to be a lot of configurations where an app will update and pull a malicious package and as long as any associated tests aren't interfered with, there won't be any bells ringing.
1. Re:This is not something to take lightly by Anonymous Coward · 2018-10-28 04:34 · Score: 0
  
  As the original author of one of the affected packages, can you unpack how the measures you hint at would prevent this particular problem? My package has not had any code added or modified. Thanks for any thoughts.
Re:Lack of compatibility is why I don't like Pytho by sjames · 2018-10-27 12:29 · Score: 2

You must be doing it wrong. I have literally never had python break due to versioning.
Re:Lack of compatibility is why I don't like Pytho by Jastiv · 2018-10-27 15:33 · Score: 1

>I can't think of any other language that does that. I recall issues with Lua and Lua bindings as well.
Re:Lack of compatibility is why I don't like Pytho by tartley · 2018-10-28 04:38 · Score: 1

This is simply wrong. No you do not. I've migrated hundreds of projects through every python transition from 2.6 to 3.7, and never had these problems. I say this with sympathy, not condemnation, because we've all been there in one topic or another, but you must be doing it wrong.
Re:Lack of compatibility is why I don't like Pytho by tartley · 2018-10-28 04:42 · Score: 2

> abysmal performance "The performance of uvloop-based asyncio [Python async networking/webserver] is close to that of Go programs." https://magic.io/blog/uvloop-b...
Re:Lack of compatibility is why I don't like Pytho by Anonymous Coward · 2018-10-29 09:08 · Score: 0

"practically any other programming language maintains backward compatibility."
Bwahahahahah. You must be new to this. This happens with a lot of programming languages, you just aren't paying attention. That jump to gcc 5.x and 6.x is enough to invalidate pretty much everything you complained about.