Twelve Malicious Python Libraries Found and Removed From PyPI

An anonymous reader writes: A software security engineer has identified 12 Python libraries uploaded on the official Python Package Index (PyPI) that contained malicious code. The 12 packages used typo-squatting in the hopes a user would install them by accident or carelessness when doing a "pip install" operation for a mistyped more popular package, like Django (ex: diango).

Eleven libraries would attempt to either collect data about each infected environment, obtain boot persistence, or even open a reverse shell on remote workstations. A twelfth package, named "colourama," was financially-motivated and hijacked an infected users' operating system clipboard, where it would scan every 500ms for a Bitcoin address-like string, which it would replace with the attacker's own Bitcoin address in an attempt to hijack Bitcoin payments/transfers made by an infected user.
54 users downloaded that package -- although all 12 malicious packages have since been taken down.

Four of the packages were misspellings of django -- diango, djago, dajngo, and djanga.

Re:I've always hated Python because...

> I've always hated to deal with python in free software game projects because it moves too fast.

Python 1.0 - January 1994
Python 2.0 - October 16, 2000
Python 2.4 - November 30, 2004
Python 2.6 - October 1, 2008
Python 3.0 - December 3, 2008

I think that most likely you started with 2.4 or 2.6.. If we assume that you started with 2.4, in worst case scenario you started coding at 2008, right before 2.6 and 3.0 came out. If you did, in worst case scenario you would end up upgrading first to 2.6 and then to 3.0. within one year. If you started with 3.0 you probably didn't have any problems for 10 years. If you started at 2004, you probably had no problems for 4 years. It is highly likely that you simply had very bad luck with your timing.