Recently I discovered yet another malicious package in the PyPI repository. The py-terminal-banner package does a couple of interesting things but most notably it creates a reverse shell.

Details of the py-terminal-banner Package

The py-terminal-banner may be attempting to typo-squat the terminal-banner package hoping that somebody would mistakenly install it instead.

This package have been in the PyPI repository since Nov 8, 2019 and according to pypistats.org, the package was downloaded almost 150 times in the last 6 months but not all those downloads may have resulted in an installation or usage. This package has been reported to the PyPI administrators.

Recommended Remediation

If you have the…


In the months since my last posts regarding malicious code in the PyPI repository, I made some improvements to my static code analysis tool (see Detecting Cyber Attacks on PyPI for background). As part of this effort I recently rescanned the PyPI repository and this is what I found.

While analyzing the data from the scan, I discovered an interesting PyPI package named ‘pytz3-dev’. This package is “typo-squatting” the popular PyPI package named ‘pytz’ by adding a number at the end of the package name (maybe to indicate or imply a version) and also using the Ubuntu package management convention…


21 Oct 2018

If you’ve ever installed a PyPI package named ‘colourama’, you probably want to read further.

As mentioned in a previous blog post (Detecting Cyber Attacks on PyPI), for the last year I have been doing research on automated detection of malicious code in the PyPI repository. In an initial scan of the PyPI repository earlier this year, I detected eleven malicious packages and reported them to the PyPI maintainers privately. Since then, I’ve continued improvements to the detection tool and recently rescanned the PyPI repository.

While analyzing the data from the rescan, I discovered an interesting PyPI…


13 Oct 2018

There are malicious packages lurking in the Python Package Index (PyPI) repository. Using a custom-written automatic scanning tool, I was able to identify eleven different malicious packages based on the content of their installer scripts. Many of these malicious packages was typo-squatting a legitimate package, posing real possibilities of programmers inadvertently executing malicious code on their machines. Future work may identify further packages in PyPI.

Background

In the Fall of 2017 I was looking for a research project in the information security field that would also include aspects of software engineering. At the time SKCIRT (Slovakia’s National Security…

Bertus

Software and Security Engineering

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store