Developers are advised to purge these malicious packages
Christian Heimes
christian at python.org
Wed Dec 4 13:17:58 EST 2019
On 04/12/2019 18.59, David Lowry-Duda wrote:
> I notice that "python3-dateutil" is in over 4000 github repositories
> [1]. That sounds like a disaster.
>
> [1]: https://github.com/search?q=python3-dateutil&type=Code
At least the first pages are packaging files for Debian, Fedora, and
other Linux distributions. Downstream distributions provide a Python
package under multiple names. For example the Fedora's build spec [1]
creates python2-dateutil and python3-dateutil packages from the
python-dateutil upstream project.
Attackers abuse the fact and try to typo-squat packages in hope that
somebody uses the Linux distribution package name "python3-dateutil"
instead of the upstream name "python-dateutil" in requirements.txt
Christian
[1]
https://src.fedoraproject.org/rpms/python-dateutil/blob/master/f/python-dateutil.spec
More information about the Python-list
mailing list