FedoraForum.org - Fedora Support Forums and Community
Results 1 to 4 of 4
  1. #1
    Join Date
    Mar 2011
    Location
    /
    Posts
    5,102

    Malicious software libraries found in PyPI posing as well known libraries

    Source - http://www.nbu.gov.sk/skcsirt-sa-20170909-pypi/

    Partial quote -
    == Summary ==

    SK-CSIRT identified malicious software libraries in the official Python package
    repository, PyPI, posing as well known libraries. A prominent example is a fake
    package urllib-1.21.1.tar.gz, based upon a well known package
    urllib3-1.21.1.tar.gz.

    Such packages may have been downloaded by unwitting developer or administrator
    by various means, including the popular “pip” utility (pip install urllib).
    There is evidence that the fake packages have indeed been downloaded and
    incorporated into software multiple times between June 2017 and September 2017.

    Ycombinator discussion - https://news.ycombinator.com/item?id=15256121
    Fedora 27 x86_64 XFCE - Sager | Intel Core i7 - 4810 MQ | NVIDIA GeForce GTX 860M | 16 GB RAM | 480 GB ADATA SSD |
    Fedora 27 x86_64 XFCE - Dell Precision M4800 | Intel Core i7 - 4900 MQ | NVIDIA Quadro K1100M | 16 GB RAM | 750 GB 7200 RPM HDD |


    The Linux Documentation Project | Fedora Documentation

  2. #2
    Join Date
    Oct 2010
    Location
    Canberra
    Posts
    2,708

    Re: Malicious software libraries found in PyPI posing as well known libraries

    I think the most troubling aspect of this was that the malware is installed by the installation script - something that will often be run with admin privileges and would rarely be reviewed.

    It would also work with software that was installed with "make install" where the malware could be installed by a line in the install target.

  3. #3
    Join Date
    Oct 2011
    Posts
    1,630

    Re: Malicious software libraries found in PyPI posing as well known libraries

    I don't see how would an installation script make a typo in python package name. I see this as kind of phishing attempt in PyPI way. If you just blindly installing libraries from any source without checking if it is original source, then I would say you are being reckless. Like everywhere else, there exists trusted users as well as some less trusted ones.

  4. #4
    Join Date
    Oct 2010
    Location
    Canberra
    Posts
    2,708

    Re: Malicious software libraries found in PyPI posing as well known libraries

    Quote Originally Posted by srakitnican
    I don't see how would an installation script make a typo in python package name. I see this as kind of phishing attempt in PyPI way. If you just blindly installing libraries from any source without checking if it is original source, then I would say you are being reckless. Like everywhere else, there exists trusted users as well as some less trusted ones.
    I don't think its a typo in the installation script, but its when the user makes a typo in the package name, such as urlib rather than urllib. The installation script in this alternative is what carries the malware -the library itself is just a copy of the real thing so there is nothing to flag that you might have downloaded the wrong package.

    Part of the problem is that the Python repo is getting about 100 new packages per day, which makes it impossible to curate without relying on a lot of automation.

Similar Threads

  1. [SOLVED] Boost libraries not found
    By Alex Farber in forum Using Fedora
    Replies: 2
    Last Post: 24th May 2010, 06:50 AM
  2. Shared libraries not found
    By andrea.delbravo in forum Using Fedora
    Replies: 4
    Last Post: 1st February 2010, 01:05 PM
  3. FC6: Libraries not found
    By hariseldon in forum Using Fedora
    Replies: 2
    Last Post: 22nd January 2007, 02:50 PM
  4. Some libraries not found
    By eyp in forum Using Fedora
    Replies: 3
    Last Post: 1st October 2006, 02:36 PM
  5. chm libraries are not found by pychm
    By sveln in forum Using Fedora
    Replies: 5
    Last Post: 2nd June 2005, 07:43 PM

Tags for this Thread

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •