Pytosquatting, Supply Chain Risk, and the Slovak National Security Bureau
So most of you will have the Slovak ‘NBU’ on your RSS speed-dial, but I found I was a bit behind on my reading of it. As I was catching up, skcsirt-sa-20170909-pypi caught my eye. In a nutshell, its around a phenomena called ‘typo-squatting’. In this case, Python-package name squatting (called pytosquatting).
So there is a popular package ‘urllib2’. The developers moved on to version 3 (urllib3), deleting the old one. Someone moved in and registered ‘urllib’ and ‘urrlib2’. In turn other unwitting people like you and I would do a ‘pip install urllib’ or ‘import urrlib’. Done, right? Wrong! It behaved properly (so you didn’t notice) and then… well… had side-affects you didn’t want. Other typos included ‘urlib3’ (dropped ‘l’) etc.
Here’s a few they highlighted.
- acqusition (uploaded 2017-06-03 01:58:01, impersonates acquisition)
- apidev-coop (uploaded 2017-06-03 05:16:08, impersonates apidev-coop_cms)
- bzip (uploaded 2017-06-04 07:08:05, impersonates bz2file)
- crypt (uploaded 2017-06-03 08:03:14, impersonates crypto)
- django-server (uploaded 2017-06-02 08:22:23, impersonates django-server-guardian-api)
- pwd (uploaded 2017-06-02 13:12:33, impersonates pwdhash)
- setup-tools (uploaded 2017-06-02 08:54:44, impersonates setuptools)
- telnet (uploaded 2017-06-02 15:35:05, impersonates telnetsrvlib)
- urlib3 (uploaded 2017-06-02 07:09:29, impersonates urllib3)
- urllib (uploaded 2017-06-02 07:03:37, impersonates urllib3)