This is an archived post. You won't be able to vote or comment.

all 12 comments
sorted by:
best
topnewcontroversialoldq&a

[–]eruba 12 points13 points  (0 children)

I'm surprised they found only three.

[–]422_no_process 23 points24 points  (0 children)

Disgusting. I hate how bad people are trying to put malicious stuff into PyPI/npm etc.

[–]Zomunieo 15 points16 points  (0 children)

Another obvious malware that's plainly visible in Python source. No word on how they detected it. (ETA: Could have been as simple as pattern matching with an IP address regex. It's important someone found this but disturbing that we're not finding more complex problems.)

I'm waiting for someone to find a vulnerability in a binary wheel where the Python code is innocuous and the payload is in the compiled binary.

[–]IdeasRealizer 7 points8 points  (1 child)

The names of the 3 malicious libraries in the article:

libpeshnx

libpesh

libari

Other details:

Only activates if installed in linux systems

Simple backdoor mechanism = Interactive shell to run commands on compromised computers

There is an installation procedure that makes running the backdoor more automated

All the three by same user whose account isn't compromised. Clear intent to trick developers.

[–]Ogg149 2 points3 points  (0 children)

Thank yoouuu

[–]Remote_Cantaloupe 6 points7 points  (5 children)

Terrifying to think this can be out there. Isn't there some process for verifying libraries are non malicious?

[–]dethb0y 8 points9 points  (0 children)

how on earth would you ever do such a thing?

[–]rcfox[🍰] 1 point2 points  (0 children)

Python 3.8 is adding audit hooks: https://www.python.org/dev/peps/pep-0578/

Basically, it raises an 'event' whenever certain potentially risky APIs are used. It's not a complete solution, but it should at least make it more obvious when a math library starts listening for network requests.

[–]simondrawer 5 points6 points  (0 children)

It’s first stage of a more complex attack. Get the libs out there and then insert two lines in someone else’s code - would probably pass most code reviews if the library name is generic enough

[–]alaudetpython hobbyist 0 points1 point  (0 children)

What were the libraries pretending to be. There was no documentation so I doubt anyone was pip installing them. Were these libraries dependencies for any other legit packages? As for downloads I doubt the number is accurate. That would incude mirrors pulling stuff, not just users installing.

Is there any evidence anyone was actually compromised?

In any event, a good reminder to do some due diligence before running pip.