PyPI Suspends New User and Project Creation in Wake of Malware Campaign

PyPI Suspends New User and Project Creation in Wake of Malware Campaign(blog.phylum.io)

16 points by louislang 2 years ago | 7 comments

sega_sai 2 years ago |

It is scary. Here they caught the culprit quickly, but if they've been careful, I think they would be able to stay under the radar and still infect a fair few systems.

As a person who regularly runs pip install on my main desktop, I am definitely worried about arbitrary code execution that happens when you pip install. Sure I can run everything inside the container, but given that I do most of my work in python, I think that is too restrictive...

louislang 2 years ago | |

Yeah, the broad campaign makes it extremely noticeable. There are active campaigns right now that don't take this approach. Singular packages with novel malicious payloads.

> As a person who regularly runs pip install on my main desktop, where I am worried about arbitrary code execution that happens when you pip install.

We've open-sourced a sandbox and wrapped the Phylum CLI with it so you can do something like `phylum pip install <pkgName>,` it'll check our API first for known malware, then if it appears clean, will perform the installation in the sandbox. You can specify what the sandbox is allowed to touch in a TOML file.

See: https://github.com/phylum-dev/birdcage

jvanderbot 2 years ago | | |

This is great. Is there something for crates.io?

Does the safety-oriented Rust community do this _automatically_?

jvanderbot 2 years ago |

Honest question: Is this unique to python? or can we expect this in Go, Rust, vcpkg, conan, etc?

louislang 2 years ago | |

No, this is not unique to Python or PyPI. I'm one of the co-founders @ Phylum. We've tracked campaigns across Crates.io, Nuget, npm, PyPi, etc.

see: https://blog.phylum.io/tag/research/

richij 2 years ago |

This one gained more traction: https://news.ycombinator.com/item?id=39856756

nathants 2 years ago |

run littlesnitch or something similar to notice and prevent egress attempts. for now it seems the only effective defense.

hopefully somebody builds a disk snitch. would love to buy that.