Copy Link
Add to Bookmark
Report
NULL mag Issue 03 06 Malicious package in Python
Article from https://hackaday.com/2018/10/31/
when-good-software-goes-bad-malware-in-open-source/
Open Source software is always trustworthy, right? [Bertus] broke a story
about a malicious Python package called "Colourama". When used, it secretly
installs a VBscript that watches the system clipboard for a Bitcoin address,
and replaces that address with a hardcoded one. Essentially this plugin
attempts to redirects Bitcoin payments to whoever wrote the "colourama"
library.
Why would anyone install this thing? There is a legitimate package named
"Colorama" that takes ANSI color commands, and translates them to the Windows
terminal. It's a fairly popular library, but more importantly, the name
contains a word with multiple spellings. If you ask a friend to recommend a
color library and she says "coulourama" with a British accent, you might
just spell it that way. So the attack is simple: copy the original project's
code into a new misspelled project, and add a nasty surprise.
Sneaking malicious software into existing codebases isn't new, and this
particular cheap and easy attack vector has a name: "typo-squatting". But
how did this package get hosted on PyPi, the main source of community
contributed goodness for Python? How many of you have downloaded packages
from PyPi without looking through all of the source? pip install colorama?
We'd guess that it's nearly all of us who use Python.
It's not just Python, either. A similar issue was found on the NPM javascript
repository in 2017. A user submitted a handful of new packages, all
typo-squatting on existing, popular packages. Each package contained
malicious code that grabbed environment variables and uploaded them to the
author. How many web devs installed these packages in a hurry?
