[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Developers are advised to purge these malicious packages

On 04/12/2019 18.59, David Lowry-Duda wrote:
> I notice that "python3-dateutil" is in over 4000 github repositories 
> [1]. That sounds like a disaster.
> [1]: https://github.com/search?q=python3-dateutil&type=Code

At least the first pages are packaging files for Debian, Fedora, and
other Linux distributions. Downstream distributions provide a Python
package under multiple names. For example the Fedora's build spec [1]
creates python2-dateutil and python3-dateutil packages from the
python-dateutil upstream project.

Attackers abuse the fact and try to typo-squat packages in hope that
somebody uses the Linux distribution package name "python3-dateutil"
instead of the upstream name "python-dateutil" in requirements.txt