Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

code execution backdoor #1

Open
di1l0o opened this issue Jun 6, 2022 · 4 comments
Open

code execution backdoor #1

di1l0o opened this issue Jun 6, 2022 · 4 comments

Comments

@di1l0o
Copy link

di1l0o commented Jun 6, 2022

We found a malicious backdoor in versions 0.9.50~1.0.1 of this project, and its malicious backdoor is the request package. Even if the request package was removed by pypi, many mirror sites did not completely delete this package, so it could still be installed.When using pip install django-navbar-client==1.0.1 -i http://pypi.doubanio.com/simple --trusted-host pypi.doubanio.com, the request malicious plugin can be successfully installed.

image

Repair suggestion: delete version 0.9.50~1.0.1 in PyPI

@okuuva
Copy link

okuuva commented Jun 29, 2022

Looking at the commit that added the request package it really seems like it's always been the goal to distribute the backdoor. Not saying it was, just saying it really looks like it.

@josubg
Copy link
Owner

josubg commented Jun 29, 2022

Thanks @duxinglin1 for the advice. As it is an abandoned project and I doubt nobody ever used it, I will delete the pypi packages and push a blank state to the repo to avoid any unintentional install. I will keep it, not full erase it , for sentimental reasons. Feel free to grab any code if it is of interest to you.

Dear @okuuva, I do not understand how you come to the conclusions that this project is some kind of trojan, only from the fact that I added a 50k stars pypi package, namely request. I don't even fix the package versions in the dependencies. Your assumption has left me, for lack of a better term, speechless.

@okuuva
Copy link

okuuva commented Jun 29, 2022

Dear @okuuva, I do not understand how you come to the conclusions that this project is some kind of trojan, only from the fact that I added a 50k stars pypi package, namely request. I don't even fix the package versions in the dependencies. Your assumption has left me, for lack of a better term, speechless.

I didn't come to any conclusions or didn't make any assumptions, just said the that the activity seems odd. Yes, requests is a package with 50k stars. request without the trailing "s" is/was a malicious package with similar name to trick people installing it instead of the popular requests package. The fact that request package was added to the requirements without it ever being used (requests was added later and is used) seems odd. It's also odd that this repo still hosts a version with that malicious package in the install_requires even though there are newer versions in PyPI that do not include it and older versions with the malicious package have been removed from PyPI (thank you very much for that).

Again, I'm not accusing you of anything. I'm just saying there's a lot of odd activity around this package both in PyPI and this repo.

@okuuva
Copy link

okuuva commented Jun 29, 2022

@josubg I took better look at the commit history and it seems that it could've been an honest mistake. You had a typo in a few requests calls when you migrated from urllib3 to requests. You then added request to dependencies in a separate commit and then fixed the typos and added the right package to dependencies after that and probably forgot to remove the wrong package from the dependencies. I'm sorry but the odd commit history and the version mismatch between the repo and PyPI made it seem really fishy. Thank you again for removing the infected packages from PyPI!

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

3 participants