Slashdot Mirror
Twelve Malicious Python Libraries Found and Removed From PyPI (zdnet.com)
An anonymous reader writes:
A software security engineer has identified 12 Python libraries uploaded on the official Python Package Index (PyPI) that contained malicious code. The 12 packages used typo-squatting in the hopes a user would install them by accident or carelessness when doing a "pip install" operation for a mistyped more popular package, like Django (ex: diango).
Eleven libraries would attempt to either collect data about each infected environment, obtain boot persistence, or even open a reverse shell on remote workstations. A twelfth package, named "colourama," was financially-motivated and hijacked an infected users' operating system clipboard, where it would scan every 500ms for a Bitcoin address-like string, which it would replace with the attacker's own Bitcoin address in an attempt to hijack Bitcoin payments/transfers made by an infected user.
54 users downloaded that package -- although all 12 malicious packages have since been taken down.
Four of the packages were misspellings of django -- diango, djago, dajngo, and djanga.
Eleven libraries would attempt to either collect data about each infected environment, obtain boot persistence, or even open a reverse shell on remote workstations. A twelfth package, named "colourama," was financially-motivated and hijacked an infected users' operating system clipboard, where it would scan every 500ms for a Bitcoin address-like string, which it would replace with the attacker's own Bitcoin address in an attempt to hijack Bitcoin payments/transfers made by an infected user.
54 users downloaded that package -- although all 12 malicious packages have since been taken down.
Four of the packages were misspellings of django -- diango, djago, dajngo, and djanga.
Same here. Except you don't need "a language I made up", practically any other programming language maintains backward compatibility.
With Python, when it says "requires Python 2.6â, it means EXACTLY 2.6, not "at least 2.6". Python 2.7 won't work because they completely break compatibility even in point releases. I can't think of any other language that does that.
I have stuff written in C, Perl, shell, even Javascript fifteen years ago that still runs just fine. Other languages ADD capabilities instead of randomly redefining basic things every year or two.
Python 2 or 3 or whatever it is now?
I'm on Mac so I'm stuck with Python 2 because of some reason that has never been explained in a way that makes any sense: it was all just hearsay.
You are not stuck on Python 2.
Python 3 is easily installable on the Mac: Click here.
3 steps if you already have Xcode installed. One step if you already have homebrew installed.