Malware downloaded from PyPI 41,000 times was surprisingly stealthy(arstechnica.com)
arstechnica.com
Malware downloaded from PyPI 41,000 times was surprisingly stealthy
https://arstechnica.com/information-technology/2021/11/malware-downloaded-from-pypi-41000-times-was-surprisingly-stealthy/
6 comments
On this topic, something that drives me nuts about Python packaging is that the name of the top-level import often doesn’t match the name of the package. For example if you see `import yaml` in a Python script, you might try to run `pip3 install yaml`, but no, you should actually run `pip3 install pyyaml`.
> The so-called “dependency confusion attacks” work by uploading malicious packages to public code repositories and giving them names that are identical to legitimate packages stored in the internal repository of Microsoft, Apple, or another large software developer.
This is the key line. These attacks happen at installation specific organizations. The attackers haven't bypassed open source code review.
This is the key line. These attacks happen at installation specific organizations. The attackers haven't bypassed open source code review.
Since the article doesn’t have this, The names of the packages are:
importantpackage / important-package
pptest
ipboards
owlmoon
DiscordSafety
trrfab
10Cent10 / 10Cent11
yandex-yt
yiffparty
importantpackage / important-package
pptest
ipboards
owlmoon
DiscordSafety
trrfab
10Cent10 / 10Cent11
yandex-yt
yiffparty
>yiffparty
Time to have a talk with my fellow tech furs again.
Time to have a talk with my fellow tech furs again.
These look like really oddball packages that few would consider using.
How many of those 41000 are automatic build systems, mirrors and security scanners?
How many of those 41000 are automatic build systems, mirrors and security scanners?
importantpackage seems like an oddball package to you?!