Pytosquatting, Supply Chain Risk, and the Slovak National Security Bureau

Pytosquatting, Supply Chain Risk, and the Slovak National Security Bureau

So most of you will have the Slovak ‘NBU’ on your RSS speed-dial, but I found I was a bit behind on my reading of it. As I was catching up, skcsirt-sa-20170909-pypi caught my eye. In a nutshell, its around a phenomena called ‘typo-squatting’. In this case, Python-package name squatting (called pytosquatting).

So there is a popular package ‘urllib2’. The developers moved on to version 3 (urllib3), deleting the old one. Someone moved in and registered ‘urllib’ and ‘urrlib2’. In turn other unwitting people like you and I would do a ‘pip install urllib’ or ‘import urrlib’. Done, right? Wrong! It behaved properly (so you didn’t notice) and then… well… had side-affects you didn’t want. Other typos included ‘urlib3’ (dropped ‘l’) etc.

Here’s a few they highlighted.

  • acqusition (uploaded 2017-06-03 01:58:01, impersonates acquisition)
  • apidev-coop (uploaded 2017-06-03 05:16:08, impersonates apidev-coop_cms)
  • bzip (uploaded 2017-06-04 07:08:05, impersonates bz2file)
  • crypt (uploaded 2017-06-03 08:03:14, impersonates crypto)
  • django-server (uploaded 2017-06-02 08:22:23, impersonates django-server-guardian-api)
  • pwd (uploaded 2017-06-02 13:12:33, impersonates pwdhash)
  • setup-tools (uploaded 2017-06-02 08:54:44, impersonates setuptools)
  • telnet (uploaded 2017-06-02 15:35:05, impersonates telnetsrvlib)
  • urlib3 (uploaded 2017-06-02 07:09:29, impersonates urllib3)
  • urllib (uploaded 2017-06-02 07:03:37, impersonates urllib3)

2 Responses to “Pytosquatting, Supply Chain Risk, and the Slovak National Security Bureau”

  1. Thanks for the heads up. A quick helper check that they provided, here for quick access:

    pip list –format=legacy | egrep ‘^(acqusition|apidev-coop|bzip|crypt|django-server|pwd|setup-tools|telnet|urlib3|urllib) ‘

  2. pip install safety-db safety
    safety check –full-report

    parses your requirements.txt, can go in your CI


Leave a Reply

Your email address will not be published.