The Slovak National Security Office (NBU) has identified ten malicious Python libraries uploaded on PyPI — Python Package Index — the official third-party software repository for the Python programming language.
NBU experts say attackers used a technique known as typosquatting to upload Python libraries with names similar to legitimate packages — e.g.: "urlib" instead of "urllib."
The PyPI repository does not perform any types of security checks or audits when developers upload new libraries to its index, so attackers had no difficulty in uploading the modules online.
Developers who mistyped the package name loaded the malicious libraries in their software's setup scripts.
"These packages contain the exact same code as their upstream package thus their functionality is the same, but the installation script, setup.py, is modified to include a malicious (but relatively benign) code," NBU explained.
Experts say the malicious code only collected information on infected hosts, such as name and version of the fake package, the username of the user who installed the package, and the user's computer hostname.
Collected data, which looked like "Y:urllib-1.21.1 admin testmachine", was uploaded to a Chinese IP address at "188.8.131.52:8080".
NBU officials contacted PyPI administrators last week who removed the packages before officials published a security advisory on Saturday. The following packages were found to contain the malicious code:
The malicious code was intended for use with Python 2.x, and it generated errors when used in Python 3.x applications. This is how users discovered its presence while debugging their apps.
NBU says the malicious packages were active between June 2017 and September 2017, and there's evidence they were used in several software packages.
Experts ask Python developers to review their software and see if they used one of the tainted libraries. Software packages should be recompiled with the original, clean versions of the malicious libraries.
On a side note, and unrelated to the attack vector, NBU also advises Python developers to avoid using "pip" — a Python package installer — when downloading Python libraries, as pip does not support cryptographic signatures.
Indicators of compromise are available in the NBU security alert.