Typo-squatted Python packages: the backdoor to the careless coder.
The details: A security engineer who goes by the name of “Bertus” discovered twelve Python libraries in PyPI which contained malicious code. The code was added to, “newly-created, but fully functional projects, and more specifically to the setup.py files.” The code was designed to collect data from the infected system, obtain boot persistence or, “even open a reverse shell on remote workstations.” Not the most original target functionality, but a sucker is born every day.
Why it matters: Bertus found the 12 Python packages by scanning PyPI with an automated system which looked for packages with similar names. This is referred to as “typo-squatting” with names slightly modified from the popular Python framework Django such as “diango,” “dajango” and “djanga.” The twelfth package discovered—“colourama”—was intended to hijack an operating system clipboard to scan for Bitcoin address strings. The attacker’s Bitcoin address contained only $40, according to ZDNet, so apparently the dreams of easy riches in the crypto market have gone unrealized.
The hacker perspective:
Randori DevOps Security Engineer Fran Donoso says,
"It is interesting for a few reasons. One, people who install Python libraries are often not looking at what the Python libraries do on the inside. It is literally arbitrary code that is running on someone's machine, right? Ideally it is code that you trust and you know is doing something you expect that you want to use. But if someone installs or creates a fake library that you install, you could potentially be giving them access to your machine. Or a production server that code is running on.
It's like a backdoor to the careless coder."