Slashdot Mirror

← Back to Stories (view on slashdot.org)

Twelve Malicious Python Libraries Found and Removed From PyPI (zdnet.com)

Posted by EditorDavid on from the perilous-packages dept.

An anonymous reader writes: A software security engineer has identified 12 Python libraries uploaded on the official Python Package Index (PyPI) that contained malicious code. The 12 packages used typo-squatting in the hopes a user would install them by accident or carelessness when doing a "pip install" operation for a mistyped more popular package, like Django (ex: diango).

Eleven libraries would attempt to either collect data about each infected environment, obtain boot persistence, or even open a reverse shell on remote workstations. A twelfth package, named "colourama," was financially-motivated and hijacked an infected users' operating system clipboard, where it would scan every 500ms for a Bitcoin address-like string, which it would replace with the attacker's own Bitcoin address in an attempt to hijack Bitcoin payments/transfers made by an infected user.
54 users downloaded that package -- although all 12 malicious packages have since been taken down.

Four of the packages were misspellings of django -- diango, djago, dajngo, and djanga.

8 of 36 comments (clear)

  1. I've always hated Python because... by Jastiv · · Score: 2

    I've always hated to deal with python in free software game projects because it moves too fast. I've had so many projects where because of old python, part of the project wouldn't work anymore. Its hard when you have a project with two or three developers on it and then now you have all these old python scripts and now they don't work anymore because your distribution upgrades your python. Alright, I don't even know how old it is, but when when you are dealing with these tiny teams of people, you are just going to have old code. Someday, I will take the python out of my project and replace it with a language I made up that never changes. I am a better person than the Python maintainers and I would never subject my users to the evils of backwards incompatibility.

    1. Re:I've always hated Python because... by Anonymous Coward · · Score: 2, Insightful

      > I've always hated to deal with python in free software game projects because it moves too fast.

      Python 1.0 - January 1994
      Python 2.0 - October 16, 2000
      Python 2.4 - November 30, 2004
      Python 2.6 - October 1, 2008
      Python 3.0 - December 3, 2008

      I think that most likely you started with 2.4 or 2.6.. If we assume that you started with 2.4, in worst case scenario you started coding at 2008, right before 2.6 and 3.0 came out. If you did, in worst case scenario you would end up upgrading first to 2.6 and then to 3.0. within one year. If you started with 3.0 you probably didn't have any problems for 10 years. If you started at 2004, you probably had no problems for 4 years. It is highly likely that you simply had very bad luck with your timing.

    2. Re:I've always hated Python because... by DCFusor · · Score: 3, Interesting

      Perl 5 - it's been forever since they broke userland - just incremental improvements. No need to worry about rakudo (used to be called perl6) replacing it - it's acknowledged to be a very different language that will never replace 5 for normal production.
      Which I know will get a zillion downvotes, because - with as much flexibility as perl has, some assholes use it to write unreadable code for job security or something. People look at mine and say "oh, how nice you write such clear and obvious code. Is that some better newer C?".
      You can use that rope to shoot yourself in the foot, or pull yourself up. Some people think there shouldn't be more than one way to do it. I like freedom.
      Hint: if you already know python, well, it's more or less a perl copy with crappier namespace and lifetime control, that uses whitespace instead of more civilized {}..and that's about the level of difference. There's even Inline::Python for perl...I use it myself as well as Inline::C. Then there's metacpan...

      --
      Why guess when you can know? Measure!
    3. Re:I've always hated Python because... by Venona2018 · · Score: 3, Informative

      Python 2 or 3 or whatever it is now?

      I'm on Mac so I'm stuck with Python 2 because of some reason that has never been explained in a way that makes any sense: it was all just hearsay.

      You are not stuck on Python 2.

      Python 3 is easily installable on the Mac: Click here.
      3 steps if you already have Xcode installed. One step if you already have homebrew installed.

  2. Lack of compatibility is why I don't like Python by raymorris · · Score: 3, Informative

    Same here. Except you don't need "a language I made up", practically any other programming language maintains backward compatibility.

    With Python, when it says "requires Python 2.6â, it means EXACTLY 2.6, not "at least 2.6". Python 2.7 won't work because they completely break compatibility even in point releases. I can't think of any other language that does that.

    I have stuff written in C, Perl, shell, even Javascript fifteen years ago that still runs just fine. Other languages ADD capabilities instead of randomly redefining basic things every year or two.

  3. Re:Lack of compatibility is why I don't like Pytho by Aighearach · · Score: 2

    All the other languages that I can think of that do it are functional academic languages like Haskell.

  4. Re:Lack of compatibility is why I don't like Pytho by sjames · · Score: 2

    You must be doing it wrong. I have literally never had python break due to versioning.

  5. Re:Lack of compatibility is why I don't like Pytho by tartley · · Score: 2

    > abysmal performance "The performance of uvloop-based asyncio [Python async networking/webserver] is close to that of Go programs." https://magic.io/blog/uvloop-b...