[Python-Dev] SK-CSIRT identified malicious software libraries in the official Python package repository, PyPI

Victor Stinner victor.stinner at gmail.com
Fri Sep 22 09:19:13 EDT 2017


FYI I just sent a public advisory for the PyPI typo squatting issue to
the new security-announce list:

[Security-announce] Typo squatting and malicious packages on PyPI

Please subscribe to this newly created mailing list to stay tuned!



2017-09-15 22:28 GMT+02:00 Victor Stinner <victor.stinner at gmail.com>:
> Hi,
> Last week, the National Security Authority of Slovakia contacted the
> Python Security Response Team (PSRT) to report that the Python Package
> Index (PyPI) was hosting malicious packages. Installing these packages
> send user data to a HTTP server, but also install the expected module
> so it was an easy to notice the attack.
> Advisory: http://www.nbu.gov.sk/skcsirt-sa-20170909-pypi/
> Kudos to them to report the issue!
> It's not a compromise of the PyPI server nor a third-party project,
> but the "typo squatting" issue which is known since at least June 2016
> (for PyPI). The issue is not specific to Python, npmjs.com or
> rubygems.org are vulnerable to the same issue.
> For example, a malicious package used the names "urllib" (no 3) and
> "urlib3" (1 L) instead of "urllib3" (2 L). These packages were
> downloaded by users, so the attack was effective.
> More information on typo squatting and Python package security:
> https://python-security.readthedocs.io/packages.html#pypi-typo-squatting
> The PRST contacted PyPI administrators and all identified packages
> were taken down, only 1h10 after the PSRT received the email from the
> National Security Authority of Slovakia!
> The typo squatting issue is known and discussed, but not solution was
> found yet. See for example this warehouse issue:
> https://github.com/pypa/warehouse/issues/2151
> It seems like the consensus is that pip is not responsible to detect
> malicious code, it's more the responsability of PyPI.
> The problem is to decide how to detect malicious code and/or prevent
> typo squatting on PyPI.
> The issue has been discussed privately on the PSRT list last week. The
> National Security Authority of Slovakia just published their advisory,
> and a public discussion started on reddit:
> https://news.ycombinator.com/item?id=15256121
> I consider that it's now time to find a solution on the public
> python-dev mailing list.
> Let's try to find a solution!
> Can we learn something from the Update Framework (TUF)?
> How does Javascript, Ruby, Perl and other programming languages deal
> with these security issues on their package manager?
> See also my other notes on Python security and the list of known
> CPython vulnerabilities:
> https://python-security.readthedocs.io/
> Victor

More information about the Python-Dev mailing list