back to article Sonatype shines light on typosquatting ransomware threat in PyPI

Miscreants making use of typosquatting are being spotted by researchers at Sonatype, emphasizing the need to check that the package is really the one you meant to download. The latest packages detected use variations of the spelling of "Requests", a hugely popular HTTP library available via PyPI. Of the project, the …

  1. Doctor Syntax Silver badge

    Does nobody curate these collections? To set them up and then pay no attention of what goes into them is irresponsible in the extreme.

    1. Yet Another Anonymous coward Silver badge

      Indeed, the Lord Chancellor or Her Majesty's Stationary Office should be responsible for allowing people to post their Python code on the web. Libraries might contain the word "color" or other abominations

      1. Doctor Syntax Silver badge

        PyPi and NPM, also mentioned in the article, are not, on the face of it, collections of random uploads. They present themselves as resources for developers in their respective languages. A user might reasonably expect them to be sources of high quality S/W. AFAICS the reality is that both collections simply accept contributions on trust with mechanisms to remove malware once the damage has been done.

        Should you have the misfortune to fall victim to one of these, possibly as a result of a library downloaded by someone else acting in good faith, you might have occasion to reflect that there are worse problems than spelling variations although these are, in fact, at the very heart of typosquatting. You might even come to the conclusion that uploads should be vetted before being publicly posted. You might even use the term "curated".

        PyPi's "terms of use" make no mention of not uploading malware: they're entirely concerned with an uploader having the rights to distribute the material. They make no mention of the terms on which material is provided to the downloader. Neither is there any mention in the code of conduct.

        NPM is slightly better. The acceptable content, in its 3rd paragraph forbids malicious content. Perhaps reasonably this positions it after licencing considerations but both are placed after "harassing, inappropriate, or abusive".

        1. Yet Another Anonymous coward Silver badge

          So who manages them and pays for that?

          Who then is in charge of deciding what is approved?

          Which jurisdiction is that legislated in ?

          If you want to pay for a protected app store I'm sure Oracle would provide it

  2. Charlie Clark Silver badge

    The Python Software Foundation has indeed recognised the problem and started steps to mitigate. Initially at least, maintainers of so-called "critical" packages will be required to use 2FA. See

    Communication hasn't been brilliant and it took me several goes to get it right but I do now have the two USB keys on my desk waiting for the next step. I did submit the story to El Reg but they obviously decided not to pursue it.

    1. that one in the corner Silver badge

      2FA helps ensure your package

      is under your control and still *is* your package, but how does it help with typosquatting?

      Unless, perhaps, each "critical" package also has packages with all the close-match typos auto-generated (these containing whatever is the equivalent of "this package deliberately left blank") and also put under your 2FA? Wild guess, that isn't happening..

  3. druck Silver badge

    No search

    With pip search disabled, I suspect there is a greater chance of succumbing to typo-squatting modules.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like