Python developers have been warned to be on guard against malicious packages in the open source coding language's software repository, and to validate what they download to include in their programs.
Over the weekend, Slovakia's computer emergency authority SK-CSIRT first issued an alert that it had found a number of bogus packages in the Python repository.
The packages have similar names to official programs, to trick developers into downloading the malicious variants. They include:
- acqusition, impersonates acquisition
- apidev-coop, impersonates apidev-coop_cms
- bzip, impersonates bz2file
- crypt, impersonates crypto
- django-server, django-server-guardian-api
- pwd, impersonates pwdhash
- setup-tools, impersonates setuptools
- telnet, impersonates telnetsrvlib
- urlib3, impersonates urllib3
- urllib, impersonates urllib3
They were uploaded to the official Python code repository between June 2 and 4 this year, by an unknown person.
SK-CSIRT said the packages have been downloaded by developers since June this year, and were removed from the Python repository this month.
The packages contain code that attempts to connect to a web server running on an Internet Protocol address allocated to a network in China.
iTnews connected to the server and received a welcome message saying "Happy to see somebody find it ! :). Just curious about how long it would take for people to find those 'bad' packages. As you see, that's just a toy script, no harm, hope you enjoy it."
However, SK-CSIRT was taking the threat seriously.
"Success of the attack relies on negligence of the developer, or system administrator, who does not check the name of the package thoroughly," it said.
"It is also easy to publish any arbitrary Python code to the PyPI repository, which does not have and quality assurance or code review process."
Volunteers running www.pytosquatting.org were attempting "namesquatting" of the bogus packages to mitigate against the problem.
Developers have also been advised to use a Python Pip installer that does safety lookups and fails with an error message, should the attempted package not validate properly.