Connect with us

The Online Technology

Machine-raiding Python libraries squashed by community – Naked Security

Security Watch

Machine-raiding Python libraries squashed by community – Naked Security


Python developers have once again fallen victim to malicious software libraries lurking in their favourite package manager. The Python security team deleted two software imposters that mimicked packages commonly used in Python programs.

Much of Python’s success stems from its rich development community, which produces hundreds of modules or packages that help developers with basic tasks. One of the most well-known of these communities is the Python Package Index (PyPi). Developers can install and use other peoples’ packages in their own programs using a simple command (pip install) followed by the package’s name.

One popular package is dateutil, which extends Python’s already powerful date and time manipulation capabilities. You install this using pip install python-dateutil.

Because there are so many of these packages, it’s possible for someone to slip imposters into the package manager under the radar. An attacker did just this with a rogue package called python3-dateutil.

Note the additional 3 in that name. That’s significant because the Python community is currently making a mass change from version two of the programming language to version three. It’s no surprise to see a package include Python3 in its name, which is what the attacker was banking on.