PIP Install Malware?!

Introduction

If you are a Python developer then you are aware of pip. However, were you aware of the potential malware threat associated with Python’s recommended package-management system? This article will discuss the security threats associated with pip and what you can do to protect yourself against them.

What is PIP?

Package Installer for Python or (pip) is the de facto and recommended package-management system written in Python and is used to install and manage software packages. It connects to an online repository of public packages, called the Python Package Index(PyPI). For example, let’s say you want to install the request module. You would use the following syntax:

pip install request

This command will download the source code of the request package and install it into your local Python environment, allowing you to utilize its functionality.

PIP’s Vulnerabilities

In general practice, Python developers will usually upload secure and ethical code to the PyPI repository. However, you would be surprised to know, there are no third-party checks on the code that is uploaded to PyPI. The only restriction is that once a package name exists, only the maintainer(s) can upload packages with that name. Meaning you can’t submit a package using an already established name.

Unfortunately, this security feature can be exploited. In 2016, research proved that PyPI could be exploited through typosquatting. The researcher uploaded some harmless “simulation malware” to PyPI under names that were misspelled versions of popular package names, in order to collect data on how often these misspelled packages were installed. If a script kiddie or black-hat hacker was doing this then they could have used a much more malicious script.

Malware on PyPI

On July 28, 2022 researchers at Sonatype discovered malicious code on PyPI. The packages were named "requesys," "requesrs," and "requesr," which are all common typosquats of "requests" — a legitimate and widely used HTTP library for Python. Sonatype immediately reported this incident to PyPI’s administrators, and two of the packages have since been removed.

According to the researchers at Sonatype, the packages (requesys) was downloaded about 258 times, presumably by developers who made typographical errors when attempting to download the real "requests" package. One version of the requesys package contained the encryption and decryption code in plaintext Python. But a subsequent version contained a Base64-obfuscated executable that made analysis a little harder, according to Sonatype.

Nothing harmful found

According to Sonatype, developers who ended up with their system encrypted received a pop-up message instructing them to contact the author of the package for the decryption key. Victims were able to obtain the decryption key without having to make a payment for it. Which according to Sonatype, “makes this case more of a gray area rather than outright malicious activity.”

Information on the hacker’s Discord channel shows that at least 15 victims had installed and run the package.

A Growing Threat

This event is one of an increasing number of recent occurrences where hackers have hidden harmful code in commonly used software repositories in an effort to lure developers into downloading and installing it in their environments. For instance, Sonatype discovered in May that 300 developers had mistakenly downloaded "Pymafka," a malicious program for disseminating Cobalt Strike, from the PyPI registry thinking it was the popular and trustworthy Kafka client "PyKafka."

In July, researchers at Kaspersky discovered four information-stealing packages in the Node Package Manager (npm) repository.

Conclusion

Hopefully after reading this article, you now realize why it is important to pay close attention to what you download from public code repositories such as PyPI. Security researchers state that organizations must pay closer attention to their software supply chains — especially when it comes to using open source software from public repositories such as PyPI. Remember, as a Python developers, it is always your responsibility to ensure your packages are secure. Be very careful when typing out the names of popular libraries, as typosquatting is one of the most common methods for this exploitation.

Additionally, it behooves you to take preemptive measure to protect your files in your day-to-day operations. Use a trusted antivirus and malware protection software, use secure & strong passwords, always use secure internet connections, and always, always, always — backup your data!

If you found this article helpful or have any questions please leave a comment.