SBN

PyPI Flooded with 1,275 Dependency Confusion Packages

Sonatype’s automated malware detection platform Nexus Firewall has flagged multiple dependency confusion packages on the PyPI registry today, all uploaded by the same user.

On January 23rd, PyPI user arturlebedev began flooding the PyPI registry with 1,275 packages, as observed by Sonatype:

1200+ dependency confusion packages flooding PyPI

The list of these packages is too large to include in a single article but, of note are some interesting package names, that appear to target popular open source projects and companies:

  1. Sagepay, imitates the well-known British payment processor.
  2. Apple-py-music, named after a Python-based Apple Music project.
  3. Google themed projects such as xgoogle-cloud-storage, xgoogle-cloud-core, and others.
  4. AadhaarCrypt, named after a legitimate API project that “[lets] users store Aadhaar Card information online in [a] secure way.” Note, Aadhar itself refers to India’s biometric national identification system.
  5. Xsetuptools has an identical name to Python’s setuptools packaging library
  6. Openbabel-python, an expert system used by chemists and scientists.
  7. OpenRobotics, named after the Mountain View-based nonprofit
  8. Xpip, an alias used within the Xon.sh project.
  9. Airflow-*: imitates Apache Airflow-related project plugins and scripts
  10. Xcryptography: an apparent transitive dependency used by some projects.  
  11. librat, as referenced in many OSS projects. 

All of the 1,275 were reported by Sonatype today to PyPI admins who removed these packages within an hour of our report.

What’s Inside the Packages?

Nearly all of the 1,200+ packages are identical in structure. Given their huge volume, internal contents, and the fact all of these were packages dumped on PyPI the same day, we believe these components were automatically generated via a script, after parsing names of well-known companies and existing open source projects. 

The PyPI homepages for these packages seen by Sonatype were typically blank with no description of the package. Interestingly, we also did not (Read more...)

*** This is a Security Bloggers Network syndicated blog from Sonatype Blog authored by Ax Sharma. Read the original post at: https://blog.sonatype.com/pypi-flooded-with-over-1200-dependency-confusion-packages