Work in progress: Fixing typosquatting+namesquatting threats in Python Package Index (PyPI).
In June 2016, Typosquatting programming language package managers stated that
urllib2 had ~4,000 downloads in 2 weeks. But in June 2017, we found the same package name vacant and so we (being the good guys) squatted it for several months up until this disclosure. We take these findings seriously.
20170519: Steve Stagg writes about how he registered stdlib names, sent emails and that »I raised an issue on the official pypi github issue tracker in January. This also got no reply.«
20170628: PyPI Warehouse issue #2151 is opened. Title is "Block package names that conflict with core libraries", but no names were blocked.
20170913: We squatted all available names of stdlib packages (128) - scroll down to see statistics from pingbacks.
20170914: A number of in-the-wild
malicious packages on PyPI were disclosed by Slovak National Security Authority.
We had a pingback in the
setup.py of packages involved in Strategy #1, meaning that during a limited duration, we gathered statistics on the extend of the issue. The callback didn't involve any stats from user systems, just an IP so we can count that a unique system has attempted to install a non-existing package that could have been exploited.
We are calling for analysis of the current PyPI resources to find in-the-wild exploits of typosquatting as Slovak National Security Authority has done. We hope there are none, but the problem has been around for a long time, and our primer didn't get reactions from the PyPI admins.
20170917: PyPI's main developer Donald Stufft creates PR#2396 for database-backed blacklisting of package names. It's unclear how they want to apply the blacklistings, but it would mean a more efficient process for administrators.
Once done, we hope to achieve a better pip installer that:
pip install pipsec pip install virtualenv-wrapper # See that it fails pip install virtualenvwrapper # This is correct
It seems to be hinted by the closure of pip#4527 that attempts to add security to the client side isn't popular. Arguments are weak, though, so there's no real reason not to do something like the above.
Check out the code for this website on https://github.com/benjaoming/pytosquatting.
Blocked stdlib installations since 20170913-20170916: 8335
On 20170916, PyPI removed our Top 20 of squatted packages, so our statistics won't match up anymore. They didn't remove the other 108 squatted packages.
|Package||Average per day|