InformAction Forums

NoScripters and WebSec nerds of all lands, unite!
https://forums.informaction.com/

fake python libs in PyPi, maybe others

https://forums.informaction.com/viewtopic.php?t=23288

Page 1 of 1

fake python libs in PyPi, maybe others

Posted: Sat Sep 16, 2017 12:49 am
by morganism
Affected platforms: Python (all versions on any OS incl. Windows, Linux, Mac OS)

Severity: Medium (fake software packages, code execution of benign malware)

http://www.nbu.gov.sk/skcsirt-sa-20170909-pypi/

" Copies of several well known Python packages were published under slightly
modified names in the official Python package repository PyPI (prominent
example includes urllib vs. urrlib3, bzip vs. bzip2, etc.). These packages
contain the exact same code as their upstream package thus their functionality
is the same, but the installation script, setup.py, is modified to include a
malicious (but relatively benign) code.

List of fake package names:
– acqusition (uploaded 2017-06-03 01:58:01, impersonates acquisition)
– apidev-coop (uploaded 2017-06-03 05:16:08, impersonates apidev-coop_cms)
– bzip (uploaded 2017-06-04 07:08:05, impersonates bz2file)
– crypt (uploaded 2017-06-03 08:03:14, impersonates crypto)
– django-server (uploaded 2017-06-02 08:22:23, impersonates django-server-guardian-api)
– pwd (uploaded 2017-06-02 13:12:33, impersonates pwdhash)
– setup-tools (uploaded 2017-06-02 08:54:44, impersonates setuptools)
– telnet (uploaded 2017-06-02 15:35:05, impersonates telnetsrvlib)
– urlib3 (uploaded 2017-06-02 07:09:29, impersonates urllib3)
– urllib (uploaded 2017-06-02 07:03:37, impersonates urllib3)

Re: fake python libs in PyPi, maybe others

Posted: Sat Sep 16, 2017 8:32 pm
by morganism
Devs unknowingly use “malicious” modules snuck into official Python repository


https://arstechnica.com/information-tec ... epository/

"The incidents closely resemble an attack carried out last year in a research experiment by a college student in Germany. As part of his bachelor thesis, University of Hamburg student Nikolai Philipp Tschacher uploaded packages to PyPI and two other repositories. The packages used names that were similar to widely used packages already submitted by other users. They also contained code that tracked the developers. Over a span of several months, his imposter code was executed more than 45,000 times on more than 17,000 separate domains, and more than half the time his code was given all-powerful administrative rights. Two of the affected domains ended in .mil, an indication that people inside the US military had run his script."

Re: fake python libs in PyPi, maybe others

Posted: Sun Sep 17, 2017 12:29 pm
by therube
Sounds similar to, Backdoors on webshells.
All times are UTC
Page 1 of 1

Powered by phpBB® Forum Software © phpBB Limited