LONDON (IT BOLTWISE) – Security researchers have discovered vulnerabilities in older Python packages that could pose a risk to the supply chain. These vulnerabilities could be exploited through domain takeover to inject malicious code into the Python Package Index (PyPI).
Today’s daily deals at Amazon! ˗ˋˏ$ˎˊ˗
In the world of software development, supply chain security is critical. Recent discoveries by security researchers have shown that older Python packages have vulnerabilities that could potentially lead to supply chain compromise. These vulnerabilities particularly affect the Python Package Index (PyPI) and could be exploited through a domain takeover.
Security firm ReversingLabs has identified a vulnerability in the bootstrap files of an automation tool called “zc.buildout.” These scripts automate the process of downloading, building and installing the required libraries and tools. A particularly problematic aspect is that the bootstrap script requires an installation file from the domain python-distribute[.]org, which has been for sale since 2014.
The affected PyPI packages include tornado, pypiserver, slapos.core, roman, xlutils and testfixtures. The problem lies in an old bootstrap script that supports the installation of an outdated package called “Distribute”. This package was a short-lived fork of the Setuptools project, whose features were integrated back into Setuptools in 2013, making Distribute obsolete.
The danger is that many packages still provide the bootstrap script that attempts to install Distribute. Since the domain python-distribute[.]org is for sale, attackers could take advantage of this situation to spread malicious code when the script is executed. This could lead to sensitive data being stolen.
Another example of the domain takeover threat is the case of the npm package fsevents in 2023. An attacker took over an unclaimed cloud resource and used it to distribute malicious executable files to users. This type of attack pattern is common in the malware world and highlights the need to formally decommission outdated modules.
The discovery of these vulnerabilities coincides with the identification of a malicious package called “spellcheckers” in PyPI. This package, which claims to be a spell checking tool, actually contains malicious code that connects to an external server and runs a Remote Access Trojan (RAT).
Order an Amazon credit card without an annual fee with a credit limit of 2,000 euros!
Bestseller No. 1 ᵃ⤻ᶻ “KI Gadgets”
Bestseller No. 2 ᵃ⤻ᶻ “KI Gadgets”
Bestseller No. 3 ᵃ⤻ᶻ “KI Gadgets”
Bestseller No. 4 ᵃ⤻ᶻ «KI Gadgets»
Bestseller No. 5 ᵃ⤻ᶻ “KI Gadgets”
Please send any additions and information to the editorial team by email to de-info[at]it-boltwise.de. Since we cannot rule out AI hallucinations, which rarely occur with AI-generated news and content, we ask you to contact us via email and inform us in the event of false statements or misinformation. Please don’t forget to include the article headline in the email: “Legacy Python scripts put PyPI packages at risk through domain takeover”.