Pytosquatting, Supply Chain Risk, and the Slovak National Security Bureau

So most of you will have the Slovak 'NBU' on your RSS speed-dial, but I found I was a bit behind on my reading of it. As I was catching up, skcsirt-sa-20170909-pypi caught my eye. In a nutshell, its around a phenomena called 'typo-squatting'. In this case, Python-package name squatting (called pytosquatting).

So there is a popular package 'urllib2'. The developers moved on to version 3 (urllib3), deleting the old one. Someone moved in and registered 'urllib' and 'urrlib2'. In turn other unwitting people like you and I would do a 'pip install urllib' or 'import urrlib'. Done, right? Wrong! It behaved properly (so you didn't notice) and then... well... had side-affects you didn't want. Other typos included 'urlib3' (dropped 'l') etc.

Here's a few they highlighted.

  • acqusition (uploaded 2017-06-03 01:58:01, impersonates acquisition)
  • apidev-coop (uploaded 2017-06-03 05:16:08, impersonates apidev-coop_cms)
  • bzip (uploaded 2017-06-04 07:08:05, impersonates bz2file)
  • crypt (uploaded 2017-06-03 08:03:14, impersonates crypto)
  • django-server (uploaded 2017-06-02 08:22:23, impersonates django-server-guardian-api)
  • pwd (uploaded 2017-06-02 13:12:33, impersonates pwdhash)
  • setup-tools (uploaded 2017-06-02 08:54:44, impersonates setuptools)
  • telnet (uploaded 2017-06-02 15:35:05, impersonates telnetsrvlib)
  • urlib3 (uploaded 2017-06-02 07:09:29, impersonates urllib3)
  • urllib (uploaded 2017-06-02 07:03:37, impersonates urllib3)
Tagged with: , , ,
2 comments on “Pytosquatting, Supply Chain Risk, and the Slovak National Security Bureau
  1. db Mike says:

    Thanks for the heads up. A quick helper check that they provided, here for quick access:

    pip list –format=legacy | egrep ‘^(acqusition|apidev-coop|bzip|crypt|django-server|pwd|setup-tools|telnet|urlib3|urllib) ‘

  2. db db says:

    pip install safety-db safety
    safety check –full-report

    parses your requirements.txt, can go in your CI

    see pyup.io

Leave a Reply

Your email address will not be published. Required fields are marked *

*