SECURITY ADVISORY! Malicious Python libraries distributed through `pip`!

1. 2017-09-17 at 2:41 AM UTC

   #1
   

   Sophie Pedophile Tech Support
   This is a big deal if you are a python developer. Due to some typosquatting and bad security practices on the part of PyPi 10 malicious Python packages have been identified. They contain malicious code on top of the normal classes and such.
   
   These packages are affected.
   
   

   – acqusition (uploaded 2017-06-03 01:58:01, impersonates acquisition)
   – apidev-coop (uploaded 2017-06-03 05:16:08, impersonates apidev-coop_cms)
   – bzip (uploaded 2017-06-04 07:08:05, impersonates bz2file)
   – crypt (uploaded 2017-06-03 08:03:14, impersonates crypto)
   – django-server (uploaded 2017-06-02 08:22:23, impersonates django-server-guardian-api)
   – pwd (uploaded 2017-06-02 13:12:33, impersonates pwdhash)
   – setup-tools (uploaded 2017-06-02 08:54:44, impersonates setuptools)
   – telnet (uploaded 2017-06-02 15:35:05, impersonates telnetsrvlib)
   – urlib3 (uploaded 2017-06-02 07:09:29, impersonates urllib3)
   – urllib (uploaded 2017-06-02 07:03:37, impersonates urllib3)

   
   ArsTechnica has an article. https://arstechnica.com/information-technology/2017/09/devs-unknowingly-use-malicious-modules-put-into-official-python-repository/
   
   To see if you're affected run the following.
   
   

   
   sudo pip list –format=legacy | egrep '^(acqusition|apidev-coop|bzip|crypt|django-server|pwd|setup-tools|telnet|urlib3|urllib)'
   

   
   
   If any package comes up delete it immediately and run whatever anti-virus solution you have on top of it just to make sure.
   The following users say it would be alright if the author of this post didn't die in a fire!

   • SBTlauien
2. 2017-09-17 at 3:17 AM UTC

   #2
   

   NARCassist gollums fat coach
   i think i'm good
   
   
   
   .
3. 2017-09-17 at 3:22 AM UTC

   #3
   

   Sophie Pedophile Tech Support
   Yeah, for a second i thought i was owned, but i didn't realize it would give me urllib3 as result even if it was the proper one because it just figured OH IT SAYS URLLIB and then said CLOSE ENOUGH!
4. 2017-09-17 at 3:37 AM UTC

   #4
   

   mashlehash victim of incest [my perspicuously dependant flavourlessness]
   Sophie isn't a complete waste.
5. 2017-09-17 at 3:45 AM UTC

   #5
   

   Sophie Pedophile Tech Support

   Originally posted by mashlehash Sophie isn't a complete waste.

   
   I sure ain't.
6. 2017-09-17 at 4:22 AM UTC

   #6
   

   mashlehash victim of incest [my perspicuously dependant flavourlessness]
   You're a complete waste, whore.
7. 2017-09-17 at 9:10 AM UTC

   #7
   

   SBTlauien African Astronaut
   Looks like it only uploaded benign user information to a Chinese server. Still sketch.
8. 2017-09-20 at 10:03 PM UTC

   #8
   

   Lanny Bird of Courage
   lol, the pytosquatting thing.
   
   Gonna suck if uploading packages takes some approval process now.