If you’re dealing with Python packages for Bitcoin or e-commerce, watch out!
Researchers from Socket found a couple of sketchy packages in the PyPI module, bitcoinlibdbfix and bitcoinlib-dev. They claim to fix bugs in the real bitcoinlib, but their true purpose is to swipe sensitive data. There’s also another harmful package called disgrasya, which includes a fully automated carding script aimed at WooCommerce stores.
It's nothing new, using library programming distribution is common way to spread malware. Although it's weird malicious package called "disgrasya" downloaded over 37K times, when searching "disgrasya" on Google leads to dictionary/language website rather than programming website.
P.S. I don't think this thread belongs on "Beginners & Help", since average people don't need to install Python package manually.
Unfortunately this is true, and we can do nothing to cut off this way.
This is likely due to PyPI's prompt action in immediately removing the 'disgrasya' package from repository after it was identified as malicious. Nothing to index for Google's bots over there.
Agreed and move it here.
We can recognize that PyPI's review processes don't suffice to fence off supply chain attacks, and look for software distribution mechanisms that do this better.
All three packages has been flagged by Pypl as malicious packages and are no longer on their package distribution, They have been removed from the index.
When working with distributions that has to do with crypto coins or finance generally. It is best to consider a few things before giving the distribution a try
Ensure the repository is open source Look out for the number of stars, forks and issues Check when it was last updated
You can use websites like:
library.io
Can help you evaluate package popularity, activity, and reliability across ecosystems.