Over a million developers have joined DZone.

Malicious Libraries Found on Python Package Index (PyPI)

DZone's Guide to

Malicious Libraries Found on Python Package Index (PyPI)

If you get Python packages from the Python Package Index, you'll want to read this news. Have you been affected?

· Security Zone ·
Free Resource

Mobile is increasingly becoming a part of every consumers’ identity, but the increasing use of this digital channel is escalating the security risks faced by consumers and institutions.

Malicious code has been found on the Python Package Index (PyPI), the most popular location for sharing Python packages. This was reported by Slovak National Security Office which was then picked up by Bleeping Computer among other places (i.e. Reddit). The attack vector used typosquatting, which is basically someone uploading a package with a misspelled name of a popular package, for example, lmxl instead of lxml.

You can see the original report from Slovak National Security Office here: http://www.nbu.gov.sk/skcsirt-sa-20170909-pypi/

I saw this vector talked about last August in this blog post which a lot of people seemed to think little of. It's interesting that now people are getting a lot more excited about the issue.

This also reminded me of the controversy over a startup called Kite which basically inserted adware/spyware into plugins, such as Atom, autocomplete-python, etc.

Packaging in Python needs some help. I like how much better it is now then it was 10 years ago, but there are still a lot of issues.

Explore the authentication advancements that are designed to secure accounts and payments—without overburdening consumers with a friction-laden experience.

python ,package ,malware ,security

Published at DZone with permission of

Opinions expressed by DZone contributors are their own.

{{ parent.title || parent.header.title}}

{{ parent.tldr }}

{{ parent.urlSource.name }}