Michael Lazin via plug on 3 Aug 2021 19:25:31 -0700


[Date Prev] [Date Next] [Thread Prev] [Thread Next] [Date Index] [Thread Index]

Re: [PLUG] PyPI - malicious libraries


I got interested in this, and downloaded the source code.  It was last updated April 26th. This means that the bad code is still in the repository, if I am indeed looking at the right repository from here:

https://pypi.org/project/PyGithub/#history

I looked at the code to see if anything stuck out, and I noticed this:

$ grep GET *.py | grep gists
AuthenticatedUser.py:        :calls: `GET /gists <http://docs.github.com/en/rest/reference/gists>`_
AuthenticatedUser.py:        :calls: `GET /gists/starred <http://docs.github.com/en/rest/reference/gists>`_
Gist.py:        :calls: `GET /gists/{gist_id}/comments/{id} <http://docs.github.com/en/rest/reference/gists#comments>`_
Gist.py:        :calls: `GET /gists/{gist_id}/comments <http://docs.github.com/en/rest/reference/gists#comments>`_
Gist.py:        :calls: `GET /gists/{id}/star <http://docs.github.com/en/rest/reference/gists>`_
MainClass.py:        :calls: `GET /gists/{id} <http://docs.github.com/en/rest/reference/gists>`_
MainClass.py:        headers, data = "" f"/gists/{id}")
MainClass.py:        :calls: `GET /gists/public <http://docs.github.com/en/rest/reference/gists>`_
NamedUser.py:        :calls: `GET /users/{user}/gists <http://docs.github.com/en/rest/reference/gists>`_

The code make calls to Github gists, which are small bits of example code. 

Github scans their repositories for malicious code, but this repository has had malicious code since April 26th if it is the right repository.  This may be a sign of a weakness in Github's security.  I don't know the gists are malicious or not, but seeing this raises questions to me, because if you can reference bad code inside a gist inside a Github project, it may escape their detection methods.  This is just a theory I developed by looking at the code briefly tonight, I might be wrong about this.  I will probably explore this in-depth tomorrow because it is honestly fascinating, but I wanted to share this idea since this is forum for the open source community.  This might be a weakness in Github's security if they scan the repositories but don't scan user gists. 

Thanks,

Michael Lazin
.. τὸ γὰρ αὐτὸ νοεῖν ἐστίν τε καὶ εἶναι.


On Tue, Aug 3, 2021 at 8:21 PM jeffv via plug <plug@lists.phillylinux.org> wrote:

Credit-card-stealing, backdoored packages found in Python's PyPI library hub


https://www.theregister.com/2021/08/02/in_brief_security/


Malicious libraries capable of lifting credit card numbers and opening
backdoors on infected machines have been found in PyPI, the official
third-party software repository for Python.
___________________________________________________________________________
Philadelphia Linux Users Group         --        http://www.phillylinux.org
Announcements - http://lists.phillylinux.org/mailman/listinfo/plug-announce
General Discussion  --   http://lists.phillylinux.org/mailman/listinfo/plug
___________________________________________________________________________
Philadelphia Linux Users Group         --        http://www.phillylinux.org
Announcements - http://lists.phillylinux.org/mailman/listinfo/plug-announce
General Discussion  --   http://lists.phillylinux.org/mailman/listinfo/plug