Sonatype shines light on typosquatting ransomware threat in PyPI Miscreants making use of typosquatting are being spotted by researchers at Sonatype, emphasizing the need to check that the package is really the one you meant to download. The latest packages detected use variations of the spelling of "Requests", a hugely popular HTTP library available via PyPI. Of the project, the …
PyPi and NPM, also mentioned in the article, are not, on the face of it, collections of random uploads. They present themselves as resources for developers in their respective languages. A user might reasonably expect them to be sources of high quality S/W. AFAICS the reality is that both collections simply accept contributions on trust with mechanisms to remove malware once the damage has been done.
Should you have the misfortune to fall victim to one of these, possibly as a result of a library downloaded by someone else acting in good faith, you might have occasion to reflect that there are worse problems than spelling variations although these are, in fact, at the very heart of typosquatting. You might even come to the conclusion that uploads should be vetted before being publicly posted. You might even use the term "curated".
PyPi's "terms of use" make no mention of not uploading malware: they're entirely concerned with an uploader having the rights to distribute the material. They make no mention of the terms on which material is provided to the downloader. Neither is there any mention in the code of conduct.
NPM is slightly better. The acceptable content, in its 3rd paragraph forbids malicious content. Perhaps reasonably this positions it after licencing considerations but both are placed after "harassing, inappropriate, or abusive".
The Python Software Foundation has indeed recognised the problem and started steps to mitigate. Initially at least, maintainers of so-called "critical" packages will be required to use 2FA. See https://pypi.org/security-key-giveaway/
Communication hasn't been brilliant and it took me several goes to get it right but I do now have the two USB keys on my desk waiting for the next step. I did submit the story to El Reg but they obviously decided not to pursue it.
is under your control and still *is* your package, but how does it help with typosquatting?
Unless, perhaps, each "critical" package also has packages with all the close-match typos auto-generated (these containing whatever is the equivalent of "this package deliberately left blank") and also put under your 2FA? Wild guess, that isn't happening..
The Register 
Biting the hand that feeds IT
Copyright. All rights reserved © 1998–2023
