Slovakian Authorities Issue Critical Warning for Python Users
Via Ars Technica:
The official repository for the widely used Python programming language has been tainted with modified code packages, a computer security authority in Slovakia warned. The authority also said the packages have been downloaded by unwitting developers who incorporated them into software over the past three months.
Multiple code packages were uploaded to the Python Package Index, often abbreviated as PyPI, and were subsequently incorporated into software multiple times from June through this month, Slovakia’s National Security Authority said in an advisory published Thursday. The unidentified people who made available the code packages gave them names that closely resembled those used for packages found in the standard Python library. The packages contained the exact same code as the upstream libraries except for an installation script, which was changed to include a “malicious (but relatively benign) code.”
“Such packages may have been downloaded by unwitting developer[s] or administrator[s] by various means, including the popular ‘pip’ utility (pip install urllib),” Thursday’s advisory stated. “There is evidence that the fake packages have indeed been downloaded and incorporated into software multiple times between June 2017 and September 2017.”
Officials with the Slovak authority said they recently notified PyPI administrators of the activity, and all identified packages were taken down immediately. Removal of the infected libraries, however, does nothing to purge them from servers that installed them. The authority advised developers and administrators to check whether any of their servers are relying on the tainted packages. The advisory provided the specific commands that can be used to perform the check. In the event infected packages are found, administrators should remove them immediately and replace them with the proper package.