Follow Slashdot blog updates by subscribing to our blog RSS feed

 



Forgot your password?
typodupeerror
×
Security Software

Software Downloaded 30,000 Times From PyPI Ransacked Developers' Machines (arstechnica.com) 26

Open source packages downloaded an estimated 30,000 times from the PyPI open source repository contained malicious code that surreptitiously stole credit card data and login credentials and injected malicious code on infected machines, researchers said on Thursday. Ars Technica reports: In a post, researchers Andrey Polkovnichenko, Omer Kaspi, and Shachar Menashe of devops software vendor JFrog said they recently found eight packages in PyPI that carried out a range of malicious activity. Based on searches on https://pepy.tech, a site that provides download stats for Python packages, the researchers estimate the malicious packages were downloaded about 30,000 times. [...] Different packages from Thursday's haul carried out different kinds of nefarious activities. Six of them had three payloads, one for harvesting authentication cookies for Discord accounts, a second for extracting any passwords or payment card data stored by browsers, and the third for gathering information about the infected PC, such as IP addresses, computer name, and user name. The remaining two packages had malware that tries to connect to an attacker-designated IP address on TCP port 9009, and to then execute whatever Python code is available from the socket. It's not now known what the IP address was or if there was malware hosted on it.

Like most novice Python malware, the packages used only a simple obfuscation such as from Base64 encoders. Karas told me that the first six packages had the ability to infect the developer computer but couldn't taint the code developers wrote with malware. "For both the pytagora and pytagora2 packages, which allows code execution on the machine they were installed, this would be possible." he said in a direct message. "After infecting the development machine, they would allow code execution and then a payload could be downloaded by the attacker that would modify the software projects under development. However, we don't have evidence that this was actually done."

This discussion has been archived. No new comments can be posted.

Software Downloaded 30,000 Times From PyPI Ransacked Developers' Machines

Comments Filter:
  • by WoodstockJeff ( 568111 ) on Friday July 30, 2021 @08:18PM (#61640573) Homepage

    ... to blindly run python scripts they don't know or understand, especially with elevated privileges?

    (other than when they install Linux)

    • by johnnys ( 592333 ) on Friday July 30, 2021 @08:30PM (#61640605)
      Answer: A HUGE percentage of devs delivering software in business today. They are hired to produce, not to cause delays.
    • Use open-source, better than proprietary. *starts reading through every bit of code* Well that's one way to conquer the world. One line at a time.

    • Looking at the linked analysis, the malware in these packages appears to be all Windows-specific. At the very least, it uses hard-coded Windows path separators, and some of it uses paths that only exist on Windows.
  • by Anonymous Coward on Friday July 30, 2021 @08:19PM (#61640577)

    The New Way of Coding is to download dozens, maybe hundreds of little bits of code from random places.

    But the languages, operating systems, runtime environments, everything, are from the Old Way of Coding, where every line of code has access to everything, and there's no way of knowing what something might do.

    Something's gotta give.

    If people want to keep coding this way, things need to be rebuilt from the ground up. With tight, granular control. With fine-grained isolation. With proof-carrying code. Docker and flatpak and VMs are not good enough. And no, you will not be able to keep coding anything you would recognize as being Python.

    It should be unusual for a piece of code to have access to files and the network; that should be reserved for a very fiew pieces of code that have good reasons and come from known sources and are looked at carefully. And "files" shouldn't mean "every file on the system" or even "every file some single user has", and "the network" shouldn't mean "just anything anywhere on the Internet". And it should be weird for code that can read much of anything at all to be able to write things that much other code can read.

    • In theory much of what you say is correct. The problem is, who is going to inspect every line of code of every library or package etc. that one downloads? And do it with enough experience to be able to see the possible security issues. This has always been an issue for these kinds of repositories. When there are no gatekeepers to ensure the code is good, the code must be assumed to be bad and malicious. One of the flaws in the 'use frameworks' thinking. Some of the larger frameworks and code repositories do
    • We're long overdue for a data center OS that does all that. 10+ years ago I used to have my fingers crossed VMware would announce a new OS, because screw virtualizing Linux I just want to run software and not deal with all that baggage. Then docker and k8s happened and it seems we're stuck with those bolted on duct taped garbage solutions. Going back to crying in my beer now, thanks.

    • There's a role for the OS here as well. Windoes by default gives any application access to everything the user can access. Why does Android provide me with more granular control of app permissions (showing the permissions at install time but also, crucially, explicitly requesting a specific permission when first used) than a Desktop OS like Windows?

  • by Antique Geekmeister ( 740220 ) on Friday July 30, 2021 @09:32PM (#61640711)

    Other open source installation tools have precisely this issue, including ant, maven, CPAN, and ansible galaxy. It's compounded by tools that reach out directly to obscure github or sourceforge repos which may not be securely managed. It's why Linux distributions exist to provide some sanity checking and chance to lock down specific versions of the software.

  • by arQon ( 447508 ) on Friday July 30, 2021 @11:07PM (#61640843)

    to avoid using Python... :P

  • Is it patch Tuesday already?
  • by stikves ( 127823 ) on Saturday July 31, 2021 @01:48AM (#61641009) Homepage

    I used to pull in Java and C# dependencies into my SVN tree manually every time, and disabled every effort by tools to auto update the libraries. However even for smaller projects those "external" dirs quickly grew in size, and was difficult to audit.

    Today, I don't have the same energy, and dependency trees grew even larger. To make things worse, auto downloaders like pip are now standard with many Linux distributions, and many libraries assume you would use them, without asking. I could of course set up a managed mirror for every tool, and try to check each and every package I download, but let's be frank, almost nobody will do that. Or at least without having a separate dedicated team tasked with only 3rd party packages.

    And, again many Linux distributions gave up on following each and every Python, Ruby, Node, R, .Net. Java package out there, but just give you tools to do local installs from remote repositories.

    So, unfortunately, the battle is already lost.

  • Jesus fucking Christ! I've had it with the motherfuckers in this world.
  • This is one of the motivations why curated software repositories exist.
    Anaconda for Python
    Microsoft R Open
    I recall Node.js has some quality controlled repos too.

    Frankly, much of the fun of open source is discovering neat things other people have written. So the risk is always there. Perhaps the future is development machines that aren't our personal machines. We are already getting there. RStudio cloud is a decent replacement for local development experience. RStudio Server, Eclipse Theia and VS Code server

The opossum is a very sophisticated animal. It doesn't even get up until 5 or 6 PM.

Working...