Python programming libraries found hiding security threats

Someone’s been typosquatting their way into Python products

When you purchase through links on our site, we may earn an affiliate commission.Here’s how it works.

Threat actors have been using typosquatting to attack Pythondeveloperswith malware, researchers have claimed.

Experts from Spectralops.io recently analyzed PyPI, a software repository for Python programmers, and found ten malicious packages on the platform. All of these were given names that are almost identical to the names of legitimate packages in order to dupe developers into downloading, and adopting, the tainted ones.

This type of attack is called typosquatting, and is a common occurrence among cybercriminals. It’s not used just on code repositories (although we’ve seen numerous instances on GitHub, for example, in the past), but also in phishingemails, fake websites, and in identity theft.

Thousands of developers at risk

Thousands of developers at risk

Should the victims adopt these packages, they’d be giving threat actors keys to their kingdoms, given that themalwareenables private data theft, as well as the theft of developer credentials. The attackers would then send the data to a third party, with the victims never knowing what happened. As of today, Spectralops reminds, PyPi has more than 600,000 active users, suggesting that the threat landscape is quite large.

“These attacks rely on the fact that the Python installation process can include arbitrary code snippets, which is a place for malicious players to put their malicious code at,” explained Ori Abramovsky, Data Science Lead at Spectralops.io. “We discovered it using machine learning models which analyze the code of these packages and auto alert on the malicious ones.”

Here’s the full list of the affected packages:

Tackling malicious domains and typosquatting>Simple supply chain attack compromises hundreds of websites and apps>Here’s what we think are the best firewalls right now

The researchers reached out to PyPI which, soon after, removed the malicious packages from its repository. Still, developers that downloaded them in the past are still at risk, and should refresh their passwords and other login credentials, just in case.

Are you a pro? Subscribe to our newsletter

Are you a pro? Subscribe to our newsletter

Sign up to the TechRadar Pro newsletter to get all the top news, opinion, features and guidance your business needs to succeed!

“What’s remarkable here is just how common these malicious packages are,” Abramovsky continued. “They are simple, yet dangerous. Personally, once I encountered these types of attacks, I started double checking every Python package I use. Sometimes I even download it and manually observe its code prior to installing it.”

Sead is a seasoned freelance journalist based in Sarajevo, Bosnia and Herzegovina. He writes about IT (cloud, IoT, 5G, VPN) and cybersecurity (ransomware, data breaches, laws and regulations). In his career, spanning more than a decade, he’s written for numerous media outlets, including Al Jazeera Balkans. He’s also held several modules on content writing for Represent Communications.

This new phishing strategy utilizes GitHub comments to distribute malware

Should your VPN always be on?

NYT Strands today — hints, answers and spangram for Sunday, November 10 (game #252)