Caution: Harmful packages in PyPI

4 replies 59 views
silentchainHero Member
Posts: 473 · Reputation: 2317
#1Sep 29, 2024, 12:03 AM
If you’re dealing with Python packages for Bitcoin or e-commerce, watch out! Researchers from Socket found a couple of sketchy packages in the PyPI module, bitcoinlibdbfix and bitcoinlib-dev. They claim to fix bugs in the real bitcoinlib, but their true purpose is to swipe sensitive data. There’s also another harmful package called disgrasya, which includes a fully automated carding script aimed at WooCommerce stores.
2 Reply Quote Share
hash_bossLegendary
Posts: 1166 · Reputation: 5261
#2Sep 29, 2024, 12:22 AM
It's nothing new, using library programming distribution is common way to spread malware. Although it's weird malicious package called "disgrasya" downloaded over 37K times, when searching "disgrasya" on Google leads to dictionary/language website rather than programming website. P.S. I don't think this thread belongs on "Beginners & Help", since average people don't need to install Python package manually.
4 Reply Quote Share
silentchainHero Member
Posts: 473 · Reputation: 2317
#3Sep 29, 2024, 02:16 AM
Unfortunately this is true, and we can do nothing to cut off this way. This is likely due to PyPI's prompt action in immediately removing the 'disgrasya' package from repository after it was identified as malicious. Nothing to index for Google's bots over there. Agreed and move it here.
1 Reply Quote Share
gw3i_4ltFull Member
Posts: 46 · Reputation: 409
#4Sep 29, 2024, 05:28 AM
We can recognize that PyPI's review processes don't suffice to fence off supply chain attacks, and look for software distribution mechanisms that do this better.
4 Reply Quote Share
whale_chainFull Member
Posts: 88 · Reputation: 664
#5Sep 29, 2024, 09:55 AM
All three packages has been flagged by Pypl as malicious packages and are no longer on their package distribution, They have been removed from  the index. When working with distributions that has to do with crypto coins or finance generally. It is best to consider a few things before giving the distribution a try Ensure the repository is open source Look out for the number of stars, forks and issues Check when it was last updated You can use websites like: library.io Can help you evaluate package popularity, activity, and reliability across ecosystems.
2 Reply Quote Share

Related topics