Developers are advised to purge these malicious packages
Michael Torrie
torriem at gmail.com
Wed Dec 4 17:34:50 EST 2019
On 12/4/19 10:59 AM, David Lowry-Duda wrote:
> I notice that "python3-dateutil" is in over 4000 github repositories
> [1]. That sounds like a disaster.
>
> [1]: https://github.com/search?q=python3-dateutil&type=Code
It's clearly not, as Christian has already said. In fact it would be
very difficult to determine from a github search whether this bad
package was actually deployed anywhere. Since it presents a fake
"dateutil" module, imports would look the same and proper as using the
correct one. The only way this package comes into play is if someone
pip installed it, or had an install script that installed it, or if it
were bundled in the source tree.
So this is very bad indeed, but not as bad as you suggest. We're not
nearly as much at risk as node.js npm users are yet.
More information about the Python-list
mailing list