There is a brand new hack out there that has very quietly affected many of people. Malicious developers uploaded slightly misspelled library names in Python’s package installer PyPi. Prominent examples include urllib vs. urrlib3, bzip vs. bzip2, etc.). These packages contain the exact same code as their upstream package thus their functionality is the same, but the installation script, setup.py, is modified to include a malicious (but relatively benign) code. It is very similar to what happens when you type in http://cnnn.com/ vs. http://cnn.com/
What does PyPi do exactly?
PyPi (Python Package Index) is a repository of software for the Python programming language. There are currently 117,189 packages installed that users can download. It is the default repository for python developers around the world. If you want to install a common library, you use a special tool called pip, which knows how to pull files down from the PyPi.
1. Run this simple one-page python code to check for bad packages. Ref: https://github.com/williamforbes/pypi_hacked_names
The output will look something like this in verbose mode.
2. if you don’t have any of the bad packages, then there is no problem. However, make sure you review all of your virtual environments and run the same script.
3. If you do have a potentially compromised library, don’t use pip uninstall as it runs code in the package. Just go to the directory and delete the package.
That’s it! This is a very insidious attack. Will keep tracking this at PyPi to see if we can help protect users.