Slashdot Mirror
Twelve Malicious Python Libraries Found and Removed From PyPI (zdnet.com)
An anonymous reader writes:
A software security engineer has identified 12 Python libraries uploaded on the official Python Package Index (PyPI) that contained malicious code. The 12 packages used typo-squatting in the hopes a user would install them by accident or carelessness when doing a "pip install" operation for a mistyped more popular package, like Django (ex: diango).
Eleven libraries would attempt to either collect data about each infected environment, obtain boot persistence, or even open a reverse shell on remote workstations. A twelfth package, named "colourama," was financially-motivated and hijacked an infected users' operating system clipboard, where it would scan every 500ms for a Bitcoin address-like string, which it would replace with the attacker's own Bitcoin address in an attempt to hijack Bitcoin payments/transfers made by an infected user.
54 users downloaded that package -- although all 12 malicious packages have since been taken down.
Four of the packages were misspellings of django -- diango, djago, dajngo, and djanga.
Eleven libraries would attempt to either collect data about each infected environment, obtain boot persistence, or even open a reverse shell on remote workstations. A twelfth package, named "colourama," was financially-motivated and hijacked an infected users' operating system clipboard, where it would scan every 500ms for a Bitcoin address-like string, which it would replace with the attacker's own Bitcoin address in an attempt to hijack Bitcoin payments/transfers made by an infected user.
54 users downloaded that package -- although all 12 malicious packages have since been taken down.
Four of the packages were misspellings of django -- diango, djago, dajngo, and djanga.
Same here. Except you don't need "a language I made up", practically any other programming language maintains backward compatibility.
With Python, when it says "requires Python 2.6â, it means EXACTLY 2.6, not "at least 2.6". Python 2.7 won't work because they completely break compatibility even in point releases. I can't think of any other language that does that.
I have stuff written in C, Perl, shell, even Javascript fifteen years ago that still runs just fine. Other languages ADD capabilities instead of randomly redefining basic things every year or two.
Perl 5 - it's been forever since they broke userland - just incremental improvements. No need to worry about rakudo (used to be called perl6) replacing it - it's acknowledged to be a very different language that will never replace 5 for normal production.
Which I know will get a zillion downvotes, because - with as much flexibility as perl has, some assholes use it to write unreadable code for job security or something. People look at mine and say "oh, how nice you write such clear and obvious code. Is that some better newer C?".
You can use that rope to shoot yourself in the foot, or pull yourself up. Some people think there shouldn't be more than one way to do it. I like freedom.
Hint: if you already know python, well, it's more or less a perl copy with crappier namespace and lifetime control, that uses whitespace instead of more civilized {}..and that's about the level of difference. There's even Inline::Python for perl...I use it myself as well as Inline::C. Then there's metacpan...
Why guess when you can know? Measure!
Python 2 or 3 or whatever it is now?
I'm on Mac so I'm stuck with Python 2 because of some reason that has never been explained in a way that makes any sense: it was all just hearsay.
You are not stuck on Python 2.
Python 3 is easily installable on the Mac: Click here.
3 steps if you already have Xcode installed. One step if you already have homebrew installed.