Malicious code found in official python repository PyPI.

Vealis

Member
Aug 14, 2016
187
72
"SK-CSIRT identified malicious software libraries in the official Python package
repository, PyPI, posing as well known libraries. A prominent example is a fake
package urllib-1.21.1.tar.gz, based upon a well known package
urllib3-1.21.1.tar.gz."

List of fake package names:
– acqusition (uploaded 2017-06-03 01:58:01, impersonates acquisition)
– apidev-coop (uploaded 2017-06-03 05:16:08, impersonates apidev-coop_cms)
– bzip (uploaded 2017-06-04 07:08:05, impersonates bz2file)
– crypt (uploaded 2017-06-03 08:03:14, impersonates crypto)
– django-server (uploaded 2017-06-02 08:22:23, impersonates django-server-guardian-api)
– pwd (uploaded 2017-06-02 13:12:33, impersonates pwdhash)
– setup-tools (uploaded 2017-06-02 08:54:44, impersonates setuptools)
– telnet (uploaded 2017-06-02 15:35:05, impersonates telnetsrvlib)
– urlib3 (uploaded 2017-06-02 07:09:29, impersonates urllib3)
– urllib (uploaded 2017-06-02 07:03:37, impersonates urllib3)

Source:
 

renice

Newbie
Jun 30, 2017
43
85
well that's unpleasant.
The linked source includes details to discover the compromised files, but found none on my (main) system. Will have to check the rest.

For renpy games, I never use the provided packages. I use a full installation of renpy, and delete everything from the game publisher other than the 'game' folder. The game folder inside a folder of arbitrary name can be placed in the right location for Renpy and launched from there. This avoids using any executables or library files from the publisher.
 

FallenLondon

Active Member
Aug 5, 2016
718
507
I don't understand the severity rating:
Severity: Medium (fake software packages, code execution of benign malware)

What is benign malware?

@wep can you explain what that means?
 

wep

OffLine
Respected User
Former Staff
Aug 16, 2016
2,899
16,921
I don't understand the severity rating:
Severity: Medium (fake software packages, code execution of benign malware)

What is benign malware?

@wep can you explain what that means?
Hi FallenLondon, I was traveling for work. Actually Squishy link is quite clear.
 
  • Like
Reactions: Vealis

FallenLondon

Active Member
Aug 5, 2016
718
507
No worries wep. I just thought malware was by definition malicious - the name is after all derived from malicious software. So the addition benign made zero sense to me.