Developers are advised to purge these malicious packages
Pankaj Jangid
p4j at j4d.net
Thu Dec 5 04:32:47 EST 2019
Christian Heimes <christian at python.org> writes:
> On 04/12/2019 18.59, David Lowry-Duda wrote:
>> I notice that "python3-dateutil" is in over 4000 github repositories
>> [1]. That sounds like a disaster.
>>
>> [1]: https://github.com/search?q=python3-dateutil&type=Code
>
> At least the first pages are packaging files for Debian, Fedora, and
> other Linux distributions. Downstream distributions provide a Python
> package under multiple names. For example the Fedora's build spec [1]
> creates python2-dateutil and python3-dateutil packages from the
> python-dateutil upstream project.
>
> Attackers abuse the fact and try to typo-squat packages in hope that
> somebody uses the Linux distribution package name "python3-dateutil"
> instead of the upstream name "python-dateutil" in requirements.txt
>
Nice explanation. Thanks.
More information about the Python-list
mailing list