Over a million developers have joined DZone.
{{announcement.body}}
{{announcement.title}}

Malicious Libraries Found on Python Package Index (PyPI)

DZone's Guide to

Malicious Libraries Found on Python Package Index (PyPI)

If you get Python packages from the Python Package Index, you'll want to read this news. Have you been affected?

· Security Zone ·
Free Resource

DON’T STRESS! Assess your OSS. Get your free code scanner from FlexeraFlexNet Code Aware scans Java, NuGet, and NPM packages.

Malicious code has been found on the Python Package Index (PyPI), the most popular location for sharing Python packages. This was reported by Slovak National Security Office which was then picked up by Bleeping Computer among other places (i.e. Reddit). The attack vector used typosquatting, which is basically someone uploading a package with a misspelled name of a popular package, for example, lmxl instead of lxml.

You can see the original report from Slovak National Security Office here: http://www.nbu.gov.sk/skcsirt-sa-20170909-pypi/

I saw this vector talked about last August in this blog post which a lot of people seemed to think little of. It's interesting that now people are getting a lot more excited about the issue.

This also reminded me of the controversy over a startup called Kite which basically inserted adware/spyware into plugins, such as Atom, autocomplete-python, etc.

Packaging in Python needs some help. I like how much better it is now then it was 10 years ago, but there are still a lot of issues.

Try FlexNet Code Aware Today! A free scan tool for developers. Scan Java, NuGet, and NPM packages for open source security and license compliance issues.

Topics:
python ,package ,malware ,security

Published at DZone with permission of

Opinions expressed by DZone contributors are their own.

{{ parent.title || parent.header.title}}

{{ parent.tldr }}

{{ parent.urlSource.name }}