Malicious code found in official python repository PyPI.

[Vealis]

"SK-CSIRT identified malicious software libraries in the official Python package
repository, PyPI, posing as well known libraries. A prominent example is a fake
package urllib-1.21.1.tar.gz, based upon a well known package
urllib3-1.21.1.tar.gz."

List of fake package names:
– acqusition (uploaded 2017-06-03 01:58:01, impersonates acquisition)
– apidev-coop (uploaded 2017-06-03 05:16:08, impersonates apidev-coop_cms)
– bzip (uploaded 2017-06-04 07:08:05, impersonates bz2file)
– crypt (uploaded 2017-06-03 08:03:14, impersonates crypto)
– django-server (uploaded 2017-06-02 08:22:23, impersonates django-server-guardian-api)
– pwd (uploaded 2017-06-02 13:12:33, impersonates pwdhash)
– setup-tools (uploaded 2017-06-02 08:54:44, impersonates setuptools)
– telnet (uploaded 2017-06-02 15:35:05, impersonates telnetsrvlib)
– urlib3 (uploaded 2017-06-02 07:09:29, impersonates urllib3)
– urllib (uploaded 2017-06-02 07:03:37, impersonates urllib3)

Source:

You must be registered to see the links

 

[renice]

well that's unpleasant.
The linked source includes details to discover the compromised files, but found none on my (main) system. Will have to check the rest.

For renpy games, I never use the provided packages. I use a full installation of renpy, and delete everything from the game publisher other than the 'game' folder. The game folder inside a folder of arbitrary name can be placed in the right location for Renpy and launched from there. This avoids using any executables or library files from the publisher.

 

[FallenLondon]

I don't understand the severity rating:
Severity: Medium (fake software packages, code execution of benign malware)

What is benign malware?

@wep can you explain what that means?

 

[Vealis]

I don't understand the severity rating:
Severity: Medium (fake software packages, code execution of benign malware)

What is benign malware?

@wep can you explain what that means?

This article explains benign malware nicely.

You must be registered to see the links

 

[wep]

I don't understand the severity rating:
Severity: Medium (fake software packages, code execution of benign malware)

What is benign malware?

@wep can you explain what that means?

Hi FallenLondon, I was traveling for work. Actually Squishy link is quite clear.

 

[FallenLondon]

No worries wep. I just thought malware was by definition malicious - the name is after all derived from malicious software. So the addition benign made zero sense to me.