In case you haven't heard about this: https://developers.slashdot.org/story/17/09/16/2030229/pythons-official-repository-included-10-malicious-typo-squatting-modules
Here is the Slashdot summary: | The Slovak National Security Office (NBU) has identified ten malicious | Python libraries uploaded on PyPI -- Python Package Index -- the | official third-party software repository for the Python programming | language. NBU experts say attackers used a technique known as | typosquatting to upload Python libraries with names similar to | legitimate packages -- e.g.: "urlib" instead of "urllib." The PyPI | repository does not perform any types of security checks or audits | when developers upload new libraries to its index, so attackers had no | difficulty in uploading the modules online. | | Developers who mistyped the package name loaded the malicious | libraries in their software's setup scripts. "These packages contain | the exact same code as their upstream package thus their functionality | is the same, but the installation script, setup.py, is modified to | include a malicious (but relatively benign) code," NBU explained. | Experts say the malicious code only collected information on infected | hosts, such as name and version of the fake package, the username of | the user who installed the package, and the user's computer hostname. | Collected data, which looked like "Y:urllib-1.21.1 admin testmachine", | was uploaded to a Chinese IP address. NBU officials contacted PyPI | administrators last week who removed the packages before officials | published a security advisory on Saturday." -- Alain. -- https://mail.python.org/mailman/listinfo/python-list
