The Python Package Index (PyPI) has removed thousands of packages that are dangerous. These packages tricked people by using the name of other packages, but they were really malware-deploying and data-stealing.
Two packages in this group of three malicious packages included their source code URL as an existing popular library. This made it look like the package had a lot of people who liked it and were working on it, when really they were just trying to trick people into thinking that way.
The packages ‘dpp-client’ and ‘dpp-client1234’ were uploaded by the same user. They are aimed at people who use Apache Mesos, which is a way to manage computer clusters.
In February 2021, dpp-client was uploaded to PyPI. In the last month, more than 600 downloads have been made from PyPI. Andrew Scott, product manager at Palo Alto and maintainer of Python security project Ochrona Security, thanked the Python security team for removing the package promptly on December 13th, the same day he notified them of a vulnerability.
There was a third package, Trojan-smuggling package dubbed ‘aws-login0tool’, that had about 600 downloads between when it showed up on PyPI on December 1 and when the PyPI admins were alerted on December 10.
Scott said Ochrona, an open source software composition analysis tool, can help developers. They can use it if they want to see what packages are in their project or if they want to find out if their mirror is present. He also plans on updating and refining the package analysis and later publishing more information.