skcsirt-sa-20170909-pypi: Fake package, execution of benign malware

September 14, 2017

Copies of several well known Python packages were published under slightly modified names in the official Python package repository PyPI (prominent example includes urllib vs. urrlib3, bzip vs. bzip2, etc.). These packages contain the exact same code as their upstream package thus their functionality is the same, but the installation script, setup.py, is modified to include a malicious (but relatively benign) code.

References

www.nbu.gov.sk/skcsirt-sa-20170909-pypi/

Detect and mitigate skcsirt-sa-20170909-pypi with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →