In the months since my last posts regarding malicious code in the PyPI repository, I made some improvements to my static code analysis tool (see Detecting Cyber Attacks on PyPI for background). As part of this effort I recently rescanned the PyPI repository and this is what I found.

While analyzing the data from the scan, I discovered an interesting PyPI package named ‘pytz3-dev’. This package is “typo-squatting” the popular PyPI package named ‘pytz’ by adding a number at the end of the package name (maybe to indicate or imply a version) and also using the Ubuntu package management convention…

21 Oct 2018

If you’ve ever installed a PyPI package named ‘colourama’, you probably want to read further.

As mentioned in a previous blog post (Detecting Cyber Attacks on PyPI), for the last year I have been doing research on automated detection of malicious code in the PyPI repository. In an initial scan of the PyPI repository earlier this year, I detected eleven malicious packages and reported them to the PyPI maintainers privately. Since then, I’ve continued improvements to the detection tool and recently rescanned the PyPI repository.

While analyzing the data from the rescan, I discovered an interesting PyPI…

13 Oct 2018

There are malicious packages lurking in the Python Package Index (PyPI) repository. Using a custom-written automatic scanning tool, I was able to identify eleven different malicious packages based on the content of their installer scripts. Many of these malicious packages was typo-squatting a legitimate package, posing real possibilities of programmers inadvertently executing malicious code on their machines. Future work may identify further packages in PyPI.

Background

In the Fall of 2017 I was looking for a research project in the information security field that would also include aspects of software engineering. At the time SKCIRT (Slovakia’s National Security…