Devs unknowingly use “malicious” modules snuck into official Python repository

Enlarge (credit: Cedar101)

The official repository for the widely used Python programming language has been tainted with modified code packages, a computer security authority in Slovakia warned. The authority also said the packages have been downloaded by unwitting developers who incorporated them into software over the past three months.

Multiple code packages were uploaded to the Python Package Index, often abbreviated as PyPI, and were subsequently incorporated into software multiple times from June through this month, Slovakia’s National Security Authority said in an advisory published Thursday. The unidentified people who made available the code packages gave them names that closely resembled those used for packages found in the standard Python library. The packages contained the exact same code as the upstream libraries except for an installation script, which was changed to include a “malicious (but relatively benign) code.”

“Such packages may have been downloaded by unwitting developer[s] or administrator[s] by various means, including the popular ‘pip’ utility (pip install urllib),” Thursday’s advisory stated. “There is evidence that the fake packages have indeed been downloaded and incorporated into software multiple times between June 2017 and September 2017.”