cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ashwani_Paliwal
Newcomer I

Why the ecosystem of Python is in danger?

Python's PyPI repository is broken!

What's PyPI?
If you have used "pip install" to install any python package, you are downloading it from a PyPI repository.

In 99% of your use cases, you have never opened the installed package to check its source code and that's fine, you aren't expected to.
It's a library and it is supposed to provide a utility for you to build a more complex program where all your focus typically lies.

But time and again its been discovered that many of these libraries are also installing either a crypto mining program or stealing your sensitive information like AWS keys and GitHub account credentials.

This has been such a consistent problem that it has ceased to gather any attention altogether now.

How is this possible you may ask? Well, it's because anyone can upload a new package on the PyPI repository and its maintainers do little to check for any malicious code being uploaded.

The most common trap is libraries with similar-looking names. "requests" is a legitimate library, whereas "request" is malware which every now and then keeps popping up on PyPI.
Now if you mistakenly happen to type the command
"pip install request"
you have successfully loaded a malware that steals your passwords stored in the system.

Python was listed as one of the top 3 popular languages in the StackOverflow 2021 survey. Trust in the ecosystem is a big factor in Python's universal usage and PyPI's current condition has the capabilities to single-handedly destroy it.
This needs a fix!

3 Replies
Beads
Advocate I

You have brought forth a good and well known problem but without remedy. The answers for security practitioners are all well and fine but what do you suggest that we tell and train our less than security minded user base?

 

Problems are easy. Solutions, not so much. 😁

 

- B/Eads

gidyn
Contributor I

There are many scanners to find vulnerable dependencies. This is particularly easy with source packages, as the scanner can directly analyze the source code.
Beads
Advocate I

I am very well aware of many scanners but prodding you to provide a solution to YOUR problem. I would check the origin of my download, scan with VirusTotal first and my allow my own AV to scan on demand if I had any concerns.

 

I like to be more accurate than a game of horseshoes.

 

- B/Eads