Re: Developers are advised to purge these malicious packages
On Wed, Dec 04, 2019 at 07:17:58PM +0100, Christian Heimes wrote: > > At least the first pages are packaging files for Debian, Fedora, and > other Linux distributions. Downstream distributions provide a Python > > > > Attackers abuse the fact and try to typo-squat packages in hope that > somebody uses the Linux distribution package name "python3-dateutil" > instead of the upstream name "python-dateutil" in requirements.txt Yes, I understand. Thank you. - DLD -- https://mail.python.org/mailman/listinfo/python-list
Re: Developers are advised to purge these malicious packages
Christian Heimes writes: > On 04/12/2019 18.59, David Lowry-Duda wrote: >> I notice that "python3-dateutil" is in over 4000 github repositories >> [1]. That sounds like a disaster. >> >> [1]: https://github.com/search?q=python3-dateutil&type=Code > > At least the first pages are packaging files for Debian, Fedora, and > other Linux distributions. Downstream distributions provide a Python > package under multiple names. For example the Fedora's build spec [1] > creates python2-dateutil and python3-dateutil packages from the > python-dateutil upstream project. > > Attackers abuse the fact and try to typo-squat packages in hope that > somebody uses the Linux distribution package name "python3-dateutil" > instead of the upstream name "python-dateutil" in requirements.txt > Nice explanation. Thanks. -- https://mail.python.org/mailman/listinfo/python-list
Re: Developers are advised to purge these malicious packages
On 12/4/19 10:59 AM, David Lowry-Duda wrote: > I notice that "python3-dateutil" is in over 4000 github repositories > [1]. That sounds like a disaster. > > [1]: https://github.com/search?q=python3-dateutil&type=Code It's clearly not, as Christian has already said. In fact it would be very difficult to determine from a github search whether this bad package was actually deployed anywhere. Since it presents a fake "dateutil" module, imports would look the same and proper as using the correct one. The only way this package comes into play is if someone pip installed it, or had an install script that installed it, or if it were bundled in the source tree. So this is very bad indeed, but not as bad as you suggest. We're not nearly as much at risk as node.js npm users are yet. -- https://mail.python.org/mailman/listinfo/python-list
Re: Developers are advised to purge these malicious packages
On 04/12/2019 18.59, David Lowry-Duda wrote: > I notice that "python3-dateutil" is in over 4000 github repositories > [1]. That sounds like a disaster. > > [1]: https://github.com/search?q=python3-dateutil&type=Code At least the first pages are packaging files for Debian, Fedora, and other Linux distributions. Downstream distributions provide a Python package under multiple names. For example the Fedora's build spec [1] creates python2-dateutil and python3-dateutil packages from the python-dateutil upstream project. Attackers abuse the fact and try to typo-squat packages in hope that somebody uses the Linux distribution package name "python3-dateutil" instead of the upstream name "python-dateutil" in requirements.txt Christian [1] https://src.fedoraproject.org/rpms/python-dateutil/blob/master/f/python-dateutil.spec -- https://mail.python.org/mailman/listinfo/python-list
Re: Developers are advised to purge these malicious packages
I notice that "python3-dateutil" is in over 4000 github repositories [1]. That sounds like a disaster. [1]: https://github.com/search?q=python3-dateutil&type=Code - DLD -- David Lowry-Duda -- https://mail.python.org/mailman/listinfo/python-list
Developers are advised to purge these malicious packages
``` The Python security team removed two trojanized Python libraries from PyPI (Python Package Index) that were caught stealing SSH and GPG keys from the projects of infected developers. The first is "python3-dateutil," which imitated the popular "dateutil" library. The second is "jeIlyfish" (the first L is an I), which mimicked the "jellyfish" library. ``` https://www.zdnet.com/article/two-malicious-python-libraries-removed-from-pypi/ Regards, -- Pankaj Jangid -- https://mail.python.org/mailman/listinfo/python-list
