I mean the easy attack vector is find a package where the package name does not match the import namespace. If the import namespace has no corresponding package in pypi... register it.
Anyone who blind tries to grab a dependency will grab your module instead of the one they want. Horrible to do. But that's the attack vector. On Thu, Jun 1, 2017 at 3:31 PM, Xavier Fernandez <[email protected]> wrote: > This makes me remember https://hackernoon.com/building-a-botnet-on-pypi- > be1ad280b8d6 on a related note. > > On Thu, Jun 1, 2017 at 7:40 PM, Thomas Kluyver <[email protected]> > wrote: > >> On Thu, Jun 1, 2017, at 06:32 PM, Matt Joyce wrote: >> >> It's basically a test dummy package that reports users who have ran that >> package template. >> >> >> That's what I thought, but all the code to do the upload seems to have >> been removed before s/he built those packages. Now it's just a harmless >> warning, unless I'm missing something. >> >> https://github.com/fate0/cookiecutter-evilpy-package/commit/ >> a3ed1e1e060748b0444158ea3bc569dfbf57645e >> >> the site referenced lists the package name that the user ran to get >> posted to the site. there appear to be many packages in pypi that are >> built off this fatezero template. >> >> >> There *appear* to be, but I checked several of the names listed there, >> and they're not on PyPI: >> >> https://pypi.python.org/pypi/tkinter >> https://pypi.python.org/pypi/memcached >> https://pypi.python.org/pypi/vtk >> https://pypi.python.org/pypi/python-dev >> https://pypi.python.org/pypi/opencv >> >> So I wonder if the data is fake. Or maybe they were already taken down? >> Or the installations are real, but not using those names. >> >> pypi is not a very good package management solution. most folks I advise >> to build from pypi in CI/CD but push to production via a real package >> management solution such as apt or yum. always double check sources coming >> from the internet. >> >> >> It's an open repository that anyone can upload to. That has its drawbacks >> and its advantages. >> >> >> _______________________________________________ >> Distutils-SIG maillist - [email protected] >> https://mail.python.org/mailman/listinfo/distutils-sig >> >> >
_______________________________________________ Distutils-SIG maillist - [email protected] https://mail.python.org/mailman/listinfo/distutils-sig
