Recently I discovered yet another malicious package in the PyPI repository. The py-terminal-banner package does a couple of interesting things but most notably it creates a reverse shell.
The py-terminal-banner may be attempting to typo-squat the terminal-banner package hoping that somebody would mistakenly install it instead.
This package have been in the PyPI repository since Nov 8, 2019 and according to pypistats.org, the package was downloaded almost 150 times in the last 6 months but not all those downloads may have resulted in an installation or usage. This package has been reported to the PyPI administrators.
If you have the…
In the months since my last posts regarding malicious code in the PyPI repository, I made some improvements to my static code analysis tool (see Detecting Cyber Attacks on PyPI for background). As part of this effort I recently rescanned the PyPI repository and this is what I found.
While analyzing the data from the scan, I discovered an interesting PyPI package named ‘pytz3-dev’. This package is “typo-squatting” the popular PyPI package named ‘pytz’ by adding a number at the end of the package name (maybe to indicate or imply a version) and also using the Ubuntu package management convention…
21 Oct 2018
If you’ve ever installed a PyPI package named ‘colourama’, you probably want to read further.
As mentioned in a previous blog post (Detecting Cyber Attacks on PyPI), for the last year I have been doing research on automated detection of malicious code in the PyPI repository. In an initial scan of the PyPI repository earlier this year, I detected eleven malicious packages and reported them to the PyPI maintainers privately. Since then, I’ve continued improvements to the detection tool and recently rescanned the PyPI repository.
While analyzing the data from the rescan, I discovered an interesting PyPI…
13 Oct 2018
There are malicious packages lurking in the Python Package Index (PyPI) repository. Using a custom-written automatic scanning tool, I was able to identify eleven different malicious packages based on the content of their installer scripts. Many of these malicious packages was typo-squatting a legitimate package, posing real possibilities of programmers inadvertently executing malicious code on their machines. Future work may identify further packages in PyPI.
Software and Security Engineering