SSH keys stolen by stream of malicious PyPI and NPM packages
#ycombinator #computers #windows #linux #mac #support #tech_support #spyware #malware #virus #security #Coding #Information_Stealer #Information_stealing_malware #npm #Package_Manager #Packages #PyPI #Repository #virus_removal #malware_removal #computer_help #technical_support
#CONDA and #pip (at least the “wheels” part of it) are essentially “binary distros”: they focus on distributing pre-built binaries without concern on how they were built, nor whether they can actually be built from source. Without a conscious effort to require reproducible builds so that anyone can independently verify binaries, these tools are doomed to be not only unsafe but also opaque—and there are to date no signs of CONDA and #PyPI /pip moving in that direction.
➝ 🔓 🇯🇵 #Toyota confirms breach after Medusa #ransomware threatens to leak data
➝ 🇺🇸 😂 Ransomware gang files #SEC complaint over victim’s undisclosed #breach
➝ 🔓 🪶 Attackers claim Plume Design, Inc data breach
➝ 🇺🇸 💰 #ICBC paid ransom after hack that disrupted markets, #cybercriminals say
➝ 🔓 #Dragos Says No Evidence of Breach After Ransomware Gang Claims Hack via Third Party
➝ 🔓 ✈️ Hackers swipe Booking.com, damage from attack is global
➝ 🇷🇺 🇺🇦 Russian #CyberEspionage Group Deploys #LitterDrifter USB #Worm in Targeted Attacks
➝ 🇮🇱 🇺🇸 Israeli Man Who Made $5M From Hacking Scheme Sentenced to Prison in US
➝ 🇫🇮 ⚖️ Alleged Extortioner of Psychotherapy Patients Faces Trial
➝ 🇺🇸 💸 #LockBit ransomware exploits #CitrixBleed in attacks, 10K servers exposed
➝ 🇺🇸 ⚖️ #IPStorm botnet with 23,000 proxies for malicious traffic dismantled
➝ 👶🏻 🧨 Teens with “digital bazookas” are winning the ransomware war, researcher laments
➝ 💸 #Ethereum feature abused to steal $60 million from 99K victims
➝ 🇩🇰 🇷🇺 #Denmark Hit With Largest #Cyberattack on Record
➝ 🇨🇳 🇰🇭 Chinese Hackers Launch Covert #Espionage Attacks on 24 Cambodian Organizations
➝ 🇲🇾 Major Phishing-as-a-Service Syndicate '#BulletProofLink' Dismantled by Malaysian Authorities
➝ 🇪🇺 🥳 EU Parliament committee rejects mass scanning of private and encrypted communications
➝ 🩹 #ICS Patch Tuesday: 90 Vulnerabilities Addressed by Siemens and Schneider Electric
➝ 🦠 🐍 27 Malicious #PyPI Packages with Thousands of Downloads Found Targeting IT Experts
🇻🇳 🇮🇳 Vietnamese Hackers Using New #Delphi-Powered #Malware to Target Indian Marketers
➝ 🔐 #Google Adds #Passkey Support to New Titan Security Key
➝ 🐛 Zero-Day Flaw in #Zimbra Email Software Exploited by Four Hacker Groups
➝ 🩹 #SAP Patches Critical Vulnerability in Business One Product
➝ 🐛 New #Reptar CPU flaw impacts Intel desktop and server systems
➝ 🐛 New #CacheWarp AMD #CPU attack lets hackers gain root in Linux VMs
📚 This week's recommended reading is: "Tribe of Hackers: Cybersecurity Advice from the Best Hackers in the World" by @marcusjcarey and Jennifer Jin
Subscribe to the #infosecMASHUP newsletter to have it piping hot in your inbox every week-end ⬇️
27 Malicious #PyPI Packages with Thousands of Downloads Found Targeting IT Experts ⚠️
27 Malicious PyPI Packages with Thousands of Downloads Found Targeting IT Experts
https://thehackernews.com/2023/11/27-malicious-pypi-packages-with.html #Python #PyPI
#PyPi 27 Malicious Python PyPI Packages with Thousands of Downloads Found Targeting IT Experts. The malicious packages include: pyefflorer, pyminor, pyowler, pystallerer, pystob, and pywool:
「IT専門家を狙った数千ダウンロードの悪意のある #PyPI パッケージ27個が見つかる 」： The Hacker News
「人気のある正規の #Python ライブラリを装った 27 のパッケージが数千のダウンロードを集めたと述べた。 ダウンロードの大部分は、米国、中国、フランス、香港、ドイツ、ロシア、アイルランド、シンガポール、英国、日本からのものです。 」
Among the deceptive packages were named pyefflorer, pyminor, pyowler, pystallerer, pystob, and pywool, with the latter being planted on May 13, 2023.
#Linux users can no longer feel confident that they will not get unwanted garbage on their system when even package managers like #PyPI are contaminated. Destruction is increasing in all areas. Honestly, I don't understand what drives these disgusting creatures to ruin everything. How can you get excited about that? This doesn't just mean crackers, but also all those who wear ties, who also vehemently defend their actions and present them as a blessing for everyone.
Längst können sich #Linux Nutzer nicht mehr in Sicherheit wiegen, sich keinen unerwünschten Müll auf ihrem System einzufangen, wenn selbst Paketverwaltungen wie #PyPI verseucht sind. In allen Bereichen nimmt die Zerstörung zu. Ehrlich, ich kapiere nicht, was diese widerwärtigen Kreaturen dazu treibt, alles kaputtzumachen. Wie kann man sich daran nur aufgeilen? Damit sind nicht nur Cracker gemeint, sondern auch alle Schlipsträger, die ihr Handeln zudem vehement verteidigen und als Segen für alle darstellen.
🐍 Developers can’t seem to stop exposing credentials in publicly accessible code | @arstechnica
"Researchers from security firm GitGuardian this week reported finding almost 4,000 unique secrets stashed inside a total of 450,000 projects submitted to PyPI, the official code repository for the Python programming language"
"PyPI has completed its first security audit"
@pypi has completed its first security audit
Read all about it in this 3-part blog series:
It was great working with @trailofbits on this.
It has been more than 6 months since my last report of a malicious package on #PyPI, and I started to think about retiring the Package Observatory Club, when I got another true positive:
mathz (or "SPY bot") was rudimentary remote control software that with keylogging, screenshots and command execution capabilities. It communicates via telegram. Comments were in Uzbek, at least according to Google Translate.
It was removed less than 3 minutes after my report - great job!
What has 3,938 total unique secrets across all projects?
This is not a joke.
How do you personally pronounce #PyPI?
(Boosts OK. Also, this is *not* a question about the "correct" pronunciation.)
🐍 Beware, Developers: BlazeStealer Malware Discovered in Python Packages on PyPI
New blog post: Diving into PyPI package name squatting:
I always wanted to find time to dive into the subject, and today's news about yet another malware campaign on PyPI motivated me to do so.
Special thanks to @sethmlarson for providing the dataset.
Yet another software supply chain vulnerability. Last week, I highlighted issues with NuGet packages, this week - PyPi (Python Package Index), as reported by HackerNews, has packages infected with #Blazestealer
#python #pypi #vulnerability - I feel a blog brewing 😀
I had been putting it off out of fear that it was going to be painful & cumbersome.
I can check one thing off of my todo list this week! Thanks for playing nice with your UI/UX #security
2023 年 1 月に開始されたこのキャンペーンには、Pyobftoexe、Pyobfusfile、Pyobfexecute、Pyobfpremium、Pyobflite、Pyobfadvance、Pyobfuse、および pyobfgood という名前の合計 8 つのパッケージが含まれており、最後のパッケージは 10 月に公開されました。 」
pypi's own rules on what constitutes an abandoned package and #PEP541 may have some norms to guide you https://peps.python.org/pep-0541/#how-to-request-a-name-transfer
(That is about asking pypi to let you take it over, but I suppose you could use similar rules to justify a fork & rename)
SpikeInterface v0.99.0 has been released on #PyPi!
Just run this to upgrade your installation:
>>> pip install --upgrade spikeinterface
Check out the release notes here:
We're also tracking several other campaigns in other ecosystems. More on this to follow.
Not worrying about API tokens is very nice (I used to create a temporary token to upload via `twine`)! Now a release is a 3 step process:
1. Bump version (and I'm using CalVer for everything I push to PyPI, so that's easy to figure out)
2. Run the release workflow (example: https://github.com/brettcannon/microvenv/blob/main/.github/workflows/release.yml)
3. Create a GitHub release
I plan to automate away step 1 via PDM or Hatch. 😁 And I can automate drafting GH releases.
I am surprised by the URL displayed on PyPI for the YAPF project : https://pypi.org/project/yapf/0.40.2/#description
- "url" is displayed instead of "Home",
- no documentation or issue URL is displayed
I thought it could be due to the quotes but the changelog URL is displayed.
A czy wiecie, że #Yandex, prawdziwie zła korporacja w służbie prawdziwego złego państwa, automatycznie zarejestrowała prawie 1200 projektów na #PyPI? Najwyraźniej służą "zapobieganiu atakom typu Dependency Confusion wobec Yandeksu". Choć wiele z nich faktycznie przypisanych jest do przestrzeni nazw "yandex-*", zarejestrowano również całkiem przypadkowe nazwy jak "selenium2mysql", "browser", "feedback", "git-pre-commit-hook", "parametrized", "easy_install" (ten ostatni został usunięty przez adminów)…
Did you know that #Yandex, the evil corporation of the evil state, has automatically registered almost 1200 projects on #PyPI? Apparently they are meant "to prevent Dependency Confusion attacks against Yandex". While many of them are indeed "yandex-namespace", they also registered random names like "selenium2mysql", "browser", "feedback", "git-pre-commit-hook", "parametrized", "easy_install" (removed by admins already)…
Scratch your own itches, they say.
Today's itch is repeatedly asking what version of [package] introduced an incompatible requirement on [other package], so I wrote a small #Python tool for querying the #PyPI JSON APIs to get an answer.
At @codethink we care heavily about safety and we are eager to share this article about the dangers you could possibly face while using a very popular platform.
Learn how to make the most of PyPI while protecting yourself from security risks. In this blog, you will find insightful information on the potential dangers of PyPI and how you can navigate around them safely.
Read the full blog: https://www.codethink.co.uk/articles/2023/pypi-safety/
➝ 🔓 #GitHub repos bombarded by info-stealing commits masked as #Dependabot
➝ 🇯🇵 💸 #Sony Investigating After Hackers Offer to Sell Stolen Data
➝ 🔓 #BORN Ontario child registry #databreach affects 3.4 million people
➝ 🇭🇰 🔓 Personal data of 25,000 Hongkongers at risk after #cyberattack against consumer watchdog, up from earlier estimate of 8,000
➝ 🇺🇸 🔓 National Student Clearinghouse data breach impacts 890 #schools
➝ 🇨🇦 ✈️ #AirCanada discloses data breach of employee and 'certain records'
➝ 🇰🇵 🇪🇸 North Korean hackers posed as #Meta recruiter on #LinkedIn
➝ 👥 ShadowSyndicate: A New #Cybercrime Group Linked to 7 #Ransomware Families
➝ 🇷🇺 ✈️ Russian flight booking system suffers ‘massive’ cyberattack
➝ 🇨🇳 🇺🇸 Chinese hackers stole emails from US State Dept in #Microsoft breach, Senate staffer says
➝ 🇨🇳 Chinese Hackers TAG-74 Targets South Korean Organizations in a Multi-Year Campaign
➝ 🇺🇦 🚀 Ukrainian Military Targeted in Phishing Campaign Leveraging #Drone Manuals
➝ 🥷🏻 💰 Hackers steal $200M from #crypto company #Mixin
➝ 🇳🇬 ⚖️ Nigerian man pleads guilty to attempted $6 million BEC email heist
➝ 🇺🇸 ⚖️ ShinyHunters member pleads guilty to $6 million in data theft damages
➝ 🇨🇳 #China-Linked Budworm Targeting Middle Eastern #Telco and Asian Government Agencies
➝ 🇨🇳 🚪 Backdoored firmware lets China state hackers control #routers with “magic packets”
➝ 🇺🇸 👮🏻♂️Security researcher warns of chilling effect after feds search phone at #airport
➝ 🦠 ❗️FBI Warns Organizations of Dual Ransomware, Wiper Attacks
➝ 🤖 🦠 #Bing Chat responses infiltrated by ads pushing #malware
➝ 🏥 🎣 Red Cross-Themed #Phishing Attacks Distributing DangerAds and AtlasAgent Backdoors
➝ 🥷🏻 🐍 #SSH keys stolen by stream of malicious #PyPI and #npm packages
➝ 🏦 🎠 New Variant of #Banking #Trojan BBTok Targets Over 40 Latin American Banks
➝ 🦠 🚪 #Deadglyph: New Advanced Backdoor with Distinctive Malware Tactics
➝ 🚀 #Sysdig Launches Realtime Attack Graph for Cloud Environments
➝ 🐛 📨 Critical vulnerabilities in #Exim threaten over 250k #email servers worldwide
➝ 🔓 Progress warns of maximum severity WS_FTP Server vulnerability
➝ 🩹 🔥 #Google fixes fifth actively exploited Chrome zero-day of 2023
➝ 🩹 🍏 #macOS 14 #Sonoma Patches 60 #Vulnerabilities
➝ 🩹 🦊 #Firefox 118 Patches High-Severity Vulnerabilities
➝ 🤫 ✅ Google quietly corrects previously submitted disclosure for critical #webp 0-day
➝ 👀 🇪🇬 0-days exploited by commercial surveillance vendor in #Egypt
📚 This week's recommended reading is: "Philosophy of Cybersecurity" by @LukaszOlejnik and Artur Kurasinski
Subscribe to the #infosecMASHUP newsletter to have it piping hot in your inbox every week-end ⬇️
Publish Python packages to PyPI with Poetry
While working in my pyxavi #Python library I was wondering how complicated would it be to publish it as the rest of the packages I use often. How difficult is to build and distribute a project through #PyPI? In this article I go through the steps of building and publishing a Python package into PyPI with #Poetry for everyone to use it.
Got a problem with GitLab CI and Variables not being shown on pipelines triggered by $CI_COMMIT_TAG
If anyone has experience/ideas details are at
New #PyPI dataset, who dis?
93% use Python 3.
The latest Python is used by most people (3.10 at the time of they survey), with each older release the next most popular: 3.10, 3.9, 3.8, 3.7, 3.6...
This is interesting as current #PyPI download stats show 3.8, 3.7, 3.9, 3.10, 3.11... There's a big skew for 3.7 from certain Linux distros (https://dev.to/hugovk/why-are-there-still-so-many-downloads-for-eol-python-37-30cp).
@pillow remains around ~30%.
Have you done your part and enabled 2FA? 🤔
🚀 sdfCAD is now available on PyPI!
With this release I added some more shape inspection routines:
- obj.bounds returns [x,x,y,y,z,z] bounds
- obj.volume() brute-forces the object's volume
Both are still a little wonky, though. Lots of iterative optimization under the hood, that can go wrong...
Still useful to e.g. check programmatically if two shapes intersect. That's something #OpenSCAD can't do. 😉
There's also https://www.pepy.tech which has total downloads, but it includes downloads from PyPI and from PyPI mirrors.
To go to the source, both get data from BigQuery:
For itertools.combination(), itertools.permutations(), itertools.product() ... but as Sequences with random access (like range()) try python_toolbox.combi https://pypi.org/project/python-toolbox/
>>> perms = python_toolbox.combi.PermSpace('ABCD')
<Perm: ('A', 'C', 'D', 'B')>
>>> perms.index(('B', 'C', 'D', 'A'))
I have animated a two-channel ‘CHSH’ Bell test experiment, as a #Python program. It is on #PyPI at https://pypi.org/project/Quantum-Correlations-Visualized/
If you read the source code, it will give an explanation of how the #simulation works. I STRONGLY encourage close study of the source code, for the reader to see that it is legitimate.
Tenho muita preguiça de aprender/cuidar de certas coisas que seriam muito úteis e legais :(
Para que outras pessoas possam usar, eu precisava publicar a minha versão do plugin no PyPI, mas quem disse que eu tenho a manha de fazer isso?
É um misto de bloqueio com burocracias, inércia, preguiça, tudo misturado. Sei que não é super difícil, eu poderia, sei lá, assitir a live do @dunossauro sobre empacotamento, mas é muito muito *difícil pra mim*.
It seems we'll have a lot of "fun" with the #PyPi decision to remove signatures for sdist tarballs (https://blog.pypi.org/posts/2023-05-23-removing-pgp/) going forward.
To scream into the void: Yes, PyPi, someone was using those signatures. Distro package maintainers secured user supply chains with it!
I'm not looking forward to asking dozens of upstreams to host their signatures elsewhere (just stumbled across one case). Meanwhile #reproduciblebuilds is now broken for those packages.
#PyPI will now enforce use of Trusted Publishers or API tokens for uploading distributions if the user has 2FA enabled:
If your package is hosted on GitHub, I highly recommend checking out Trusted Publishers instead of API tokens. You can find official documentation on how to use Trusted Publishers with PyPI here:
#pypi is doing the right thing and requiring 2 factor for all package uploading. It should be much harder to take over abandoned packages by using leaked passwords. I guess I also need to learn how to do the 2nd factor, or maybe just switch my publishing to github actions
New blog: Securing PyPI accounts via Two-Factor Authentication, from @dstufft
Removing PGP from PyPI: https://blog.pypi.org/posts/2023-05-23-removing-pgp/ #Python #PyPI #PGP
I've mentioned it before, but in case you missed it and are interested in working for @ThePSF to improve PyPI...
Live launch from the floor of @PyConUS
Starting today, PyPI package maintainers can adopt a new, more secure publishing method that does not require long-lived passwords or API tokens to be shared with external systems.
cool, #Codecov just silently yanked the codecov package completely from #PyPI https://community.codecov.com/t/codecov-yanked-from-pypi-all-versions/4259
In the middle of a PyPI data migration no less.
Latest attack on #PyPI users shows crooks are only getting better
More than 400 malicious packages were recently uploaded to PyPI (Python Package Index), the official code repository for the #Python #programming language, in the latest indication that the targeting of software developers using this form of attack isn't a passing fad.
On November 22, 2022, Flask and Werkzeug downloads per day dropped about 1 million. But I can't find a corresponding rise in any other framework, so I can only assume some service started caching PyPI much better. https://pepy.tech/project/flask?versions=2.2.*&versions=2.*&versions=1.*&versions=* #Python #PyPI