Multiple Instances of Linux Malware Distributed via PyPi in Last 30 Days
All, I'm not sure how openSUSE looks at packages or libraries obtained from PyPi, but I've followed a couple of fairly shocking stories in the past two weeks alone related to python malware distributed via packages obtained from PyPi. The Register summarizes in: https://www.theregister.com/2023/01/09/pypi_aws_malware_key/?utm_source=daily&utm_medium=newsletter&utm_content=article with PyTorch story on Jan 5: https://www.theregister.com/2023/01/04/pypi_pytorch_dependency_attack/?utm_source=daily&utm_medium=newsletter&utm_content=top-article I don't do a lot with python, other than keep up with it and marvel at how the includes and libraries have grown like weeds in a vacant lot for Python3. I know enough to know that pulling libraries via PyPi is an often used and convenient way to handle dependencies. That raises the question - is there anything specific, or any tool openSUSE has looked at that may help prevent pulling in bad dependencies that are infected? (other than discourage this manner of obtaining python code?) -- David C. Rankin, J.D.,P.E.
On 2023-01-10 08:07, David C. Rankin wrote:
All,
I'm not sure how openSUSE looks at packages or libraries obtained from PyPi, but I've followed a couple of fairly shocking stories in the past two weeks alone related to python malware distributed via packages obtained from PyPi. The Register summarizes in:
An aside: let me suggest that the correct link is: <https://www.theregister.com/2023/01/09/pypi_aws_malware_key/> Ie, delete the tracking section after the "?". -- Cheers / Saludos, Carlos E. R. (from 15.4 x86_64 at Telcontar)
On 1/10/23 02:39, Carlos E. R. wrote:
An aside: let me suggest that the correct link is:
<https://www.theregister.com/2023/01/09/pypi_aws_malware_key/>
Ie, delete the tracking section after the "?".
Wow! See Carlos, you are saving me from malware already! :) -- David C. Rankin, J.D.,P.E.
On 2023-01-10 01:07:45 David C. Rankin wrote:
|All, | | I'm not sure how openSUSE looks at packages or libraries obtained from |PyPi, but I've followed a couple of fairly shocking stories in the past | two weeks alone related to python malware distributed via packages | obtained from PyPi. The Register summarizes in: | |https://www.theregister.com/2023/01/09/pypi_aws_malware_key/?utm_source=da |ily&utm_medium=newsletter&utm_content=article | |with PyTorch story on Jan 5: | |https://www.theregister.com/2023/01/04/pypi_pytorch_dependency_attack/?utm |_source=daily&utm_medium=newsletter&utm_content=top-article | | I don't do a lot with python, other than keep up with it and marvel at | how the includes and libraries have grown like weeds in a vacant lot for | Python3. I know enough to know that pulling libraries via PyPi is an | often used and convenient way to handle dependencies. That raises the | question - is there anything specific, or any tool openSUSE has looked at | that may help prevent pulling in bad dependencies that are infected? | | (other than discourage this manner of obtaining python code?)
Unfortunately, because of openSUSE's conservative way of providing mostly back-level packages, one often has to obtain Python support components from outside their repositories, and it seems that even Pacman can't keep up with the Python community's profluent activity. Leslie -- Platform: Linux Distribution: openSUSE Leap 15.4 x86_64
participants (3)
-
Carlos E. R. -
David C. Rankin -
J Leslie Turriff