Python developers have once again fallen victim to malicious software libraries lurking in their favourite package manager. The Python security team deleted two software imposters that mimicked packages commonly used in Python programs.
Much of Python’s success stems from its rich development community, which produces hundreds of modules or packages that help developers with basic tasks. One of the most well-known of these communities is the Python Package Index (PyPi). Developers can install and use other peoples’ packages in their own programs using a simple command (
pip install) followed by the package’s name.
One popular package is dateutil, which extends Python’s already powerful date and time manipulation capabilities. You install this using
pip install python-dateutil.
Because there are so many of these packages, it’s possible for someone to slip imposters into the package manager under the radar. An attacker did just this with a rogue package called python3-dateutil.
Note the additional 3 in that name. That’s significant because the Python community is currently making a mass change from version two of the programming language to version three. It’s no surprise to see a package include Python3 in its name, which is what the attacker was banking on.
The fake version contained yet another imposter package, this time impersonating jellyfish, which is a Python library for matching strings of text. The attacker’s version used an old-school phishing trick, replacing a letter with another that looks similar. In this case, it replaced the first l with a capital i.
Lukas Martini, a contributor to the real dateutil package on GitHub, raised the alarm earlier this week. He analysed the code and found it snooping in the victim’s home directory and others, looking for sensitive files including keys used for SSH access and GPG encryption.
He reported the issue to the Python security team, which removed the packages on the same day. The offensive code also used a shortened link to call out to a repository on alternative code hosting site GitLab, which to its credit also took down the code from the malicious user on its site.
Python developers worried about their dateutil installations can use the command
pip freeze to list everything they have installed from PyPi. If their version of the package shows up as python-dateutil, they’re okay. If they see python3-dateutil, they should uninstall it immediately and check their home, documents, downloads, and PycharmProjects folders for sensitive files that may now be in the attacker’s possession.
Malicious attacks on open-source repositories aren’t new. One exploit discovered in October 2018 buried crypto mining code under the hood. In 2017, ten packages were found to contain malicious code, again using typosquatting to fool developers.