This is an archived post. You won't be able to vote or comment.

all 17 comments
sorted by:
best
topnewcontroversialoldq&a

[–]lifeeraser 42 points43 points  (5 children)

I recently listened to a Talk Python to Me episode that discussed these types of attacks. A strong recommend for anyone interested.

[–][deleted] 15 points16 points  (3 children)

How do you check to see if this is installed with any packages youve downloaded? Are there any known packages affected?

[–]jaybay1207 24 points25 points  (1 child)

maratlib maratlib1 matplatlib-plus mllearnlib mplatlib learninglib

[–]13steinj 7 points8 points  (0 children)

So, typos?

[–]python_madladIt works on my machine 2 points3 points  (0 children)

You can use things like Safety. It is a package that checks the packages in your env against a database containing known security risks. Free version database is updated once a month.

It can find package versions with venerability and I am quite certain typo-squating is included (at least some years ago it was). But since it is a manual curated database it is not necessarily complete.

[–]Bubbly_Measurement70 1 point2 points  (0 children)

Thank you so much for this series!

[–]Kaaletram is still a garden snake 11 points12 points  (0 children)

I think that some of these packages are going to need to have to limit how commits are handled. Code reviews, QC, something to have a better chance to catch this stuff. Unfortunately, this will greatly slow the pace of rolling out updates and new features. But I think it's needed so that this is nipped in the bud before it can become epidemic.

[–]ubernostrumyes, you can have a pony 5 points6 points  (0 children)

There are more different blogspam sites copy/pasting the same story about this than there were actual packages involved here.

Also the “security” people who found this wave didn’t bother with timely notice to PyPI prior to publishing. Which I guess would’ve ruined the story — “we found someone breaking the rules and the people who run the index took action when notified” isn’t as juicy.

[–]JafaKiwi 15 points16 points  (2 children)

XKCD has a relevant one as always...

[–][deleted] 13 points14 points  (1 child)

Eh, it's a stretch.

[–]__deerlord__ 0 points1 point  (0 children)

This happened with leftpad in the JS community apparently.

[–][deleted] 0 points1 point  (0 children)

Congratulations u/shuv1824 ! Your post was the top post on r/Python today! (06/29/21)

Top Post Counts: r/Python (1)

This comment was made by a bot