[Distutils] Malicious packages on PyPI
Matthias Bussonnier
bussonniermatthias at gmail.com
Thu Jun 1 19:26:31 EDT 2017
On Thu, Jun 1, 2017 at 3:20 PM, Jannis Gebauer <ja.geb at me.com> wrote:
> This makes me remember
> https://hackernoon.com/building-a-botnet-on-pypi-be1ad280b8d6 on a related
> note.
>
>
> Yep, that’s basically the same thing. Instead of using package names of
> builtins, the attacker is using a combination of popular apt/yum packages
> with a mix of package names with typos.
>
> During development, it’s not uncommon to make mistakes like:
>
> pip install requirements.txt (forgot the -r)
> pip install requestd (typo)
> pip install tkinter (not registered)
>
> Or to use the wrong package manager (apt-get install python-dev vs. pip
> install python-dev).
>
> I wonder if it would make sense to build some kind of blacklist for this.
> According to the blog post there were close to 10k installs over a period of
> just three days. I believe Debian is running some kind of popularity contest
> for their packages which could be used to identify problematic packages.
> This will be a lot of manual work, but I’d work on a list like this.
>
>
Does PyPA have a list of the most 404'ed requests for PyPI ? As pip
install `doesnotexists` will get pypi's
`pypi.python.org/simple/doesnotexist/` we can likely get a quick idea
of what is currently unregistered and could potentially be dangerous.
That seem more efficient that trying to guess.
--
M
More information about the Distutils-SIG
mailing list