back to article Python Package Index nukes 3,653 malicious libraries uploaded soon after security shortcoming highlighted

The Python Package Index, also known as PyPI, has removed 3,653 malicious packages uploaded days after a security weakness in the use of private and public registries was highlighted. Python developers use PyPI to add software libraries written by other developers in their own projects. Other programming languages implement …

  1. Anonymous Coward
    Anonymous Coward

    Which is correct?

    Quote: "...a Tokyo-based IP address (101.32.99.28)..."

    *

    A whois request says it's Singapore.....

    1. Anonymous Coward
      Anonymous Coward

      Re: Which is correct?

      Good ol ACs, always cutting to the real meat of the question.

      What were we discussing again?

    2. Tom 38 Silver badge

      Re: Which is correct?

      Prefix whois is more accurate for these sorts of things, as its based on the global routing table rather than just the network allocation - the whois record you are saying "its Singapore" is just saying that the /16 is registered in Singapore, where as prefix whois determines what AS it is in and where that AS is located.

      > $ whois -h whois.pwhois.org 101.32.99.28

      IP: 101.32.99.28

      Origin-AS: 132203

      Prefix: 101.32.96.0/20

      AS-Path: 8220 1299 2516 132203

      AS-Org-Name: Tencent Building, Kejizhongyi Avenue

      Org-Name: ACEVILLE PTE.LTD.

      Net-Name: ACEVILLEPTELTD-SG

      Latitude: 35.689506

      Longitude: 139.691700

      City: Tokyo

      Region: Tokyo

      Country: Japan

      Country-Code: JP

  2. Not in Vogue

    A get with the package name to an IP somewhere? Like phoning home? There's plenty to be suspicious about that...

  3. don't you hate it when you lose your account Silver badge

    Tip of the iceberg

    How long has this been flagged as a problem? Upstream poisoning is a major problem and other than turning off the Internet is going to be a total bugger to sort out.

  4. Doctor Syntax Silver badge

    "The fact that the author left a non-working email address and has not stepped forward might equally well mean that this was a real malware attack disguised as the act of a good samaritan."

    Od an infosec salesman trying to drum up business?

  5. xeroks

    Someone somewhere

    Even with the libraries removed, someone somewhere now has a list of organisations who are vulnerable to this attack, along with the name of at least some of their private libraries.

    Let's hope the someone is wearing a white hat, and will let the organisations know.

  6. Tom 7 Silver badge

    I doubt I've got any of the code

    but I've got about 70 or so virtual python installs to update to be sure.

    And those are just the ones I'm playing with.

  7. Baudwalk

    C/C++ library discovery and building is...

    ...tedious.

    But it's stories like these that make me love even these deficiencies of the C++ ecosystem.

    It does mean reinventing the wheel more often than developers who exclusively code in Rust, Python, Go, Java, C#, JavaScript, Perl, Ruby, OCaml, Haskell, ... *sigh* (wipes tear away) *sniffle*

    But at least the risc of catching, and distributing, something nasty is lessened.

  8. Charlie Clark Silver badge

    Python still has problems with the cheeseshop

    Even though a lot of work was done to improve scalability, there remain lots of elementary problems with PyPI. For example, I need to change the project homepage for one of my packages but I cannot do this through the website, I must create a new version of the package and upload it.

    I love the Python language but it's an open secret that the infrastructure doesn't get the attention it needs. Instead we're being force fed things like type hints…

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Biting the hand that feeds IT © 1998–2021