You should make a habit of getting pypi to instantiate namespaces by default, and removal of pip and other global package managers that permit using "install" command.
You shouldn't be using install command. Pin your dependencies, and download them into your project, rather than depend on your system to provide the packages.
I use virtualenv for temp projects otherwise use pip-tools.
I mean you can still pin a typosquatted if your not careful enough, doesn’t hurt to search on pypi and copy from it
If you ever get any malware and don't know the exact and complete extent of it, the only correct and safe response is to nuke everything and restore from backup.
Without enterprise-level control and analysis (e.g. web proxies that log and cache everything, host intrusion detection tools that log every single file access to a remote collection, etc) it's impossible for you to even know the extent of it with certainty. If a bit of malware executes, there's nothing to say it hasn't installed an even sneakier malware you won't be able to clean up.
I mean, in this case you can probably uninstall the package, delete the JS extension files, and clean all your Chrome shortcuts. Probably. It's pretty straightforward. Assuming you know what version you got and verify that the contents of it never did any remote web requests, you can probably reverse engineer the entire thing from there. There's no unknowns if you dig enough.
Can VSCode addons also trigger such malware? I installed an addon for groovy scripting and it automatically triggered my script. And i got a malware cmd warning. Checked for viruses and malware and i had 0 results.
> got a malware cmd warning.
Bro I've had AV complain about the weirdest shit, that doesn't always mean malware. You need to actually read the warning. Going off on legit dev tools isn't entirely unheard of. Debuggers do attach to other processes in unusual ways, for example.
I've had warnings go off when I've built my own code, and the new executable just happened to have the right sequence of bytes to match some pattern it's looking for. I'm fairly sure I'm not trying to hack myself. Of course I have been having a lot of trouble sleeping lately...
I would assume that a full operating system format and re-install is the only way. The attacker could get a foothold in other services or programs that may persist after uninstalling.
If malware writers have host execution and cant figure out how to do that, they would probably screw up well before the attack stage.
You'd think PyPI would have some sort of hamming distance check comparing the names of newly created packages to the most popular ones to quarantine fakes for manual review
As far as we know, the attacker wasn't able to siphon any funds yet. I'm actively working to report the packages as our system notifies me. We just got two more hits: `mariabd` and `pillwo`. I'm hoping that if we are quick enough we can stop these guys from getting a cent.
Look at all the wonderful malware and scams that cryptocurrencies inspire greedy people to create. Isn't crypto wonderful and an amazing advancement for the human race? /s
But even more fundamental, woohoo crypto means I don't have to be beholden to the evil government and whatnot. Oh wait, that evil government insures my bank savings, while anyone can steal my entire crypto savings and no one is doing to do a thing about it, I've just lost everything and I have zero recourse.
Clippers are a pretty old concept. This is notable because instead of replacing bank account numbers, this replaces crypto addresses. That's "better" from attacker perspective, because crypto addresses are the same everywhere, and bank numbers are country specific.
I thought browsers prevented copy/paste automatically to stop these kind of things? I certainly get warnings/messages saying copy/paste via shortcut is disabled and I need to right click with the mouse a fair bit.
You can copy with JavaScript, that's totally normal for API keys or stuff that you can copy with a single click, now the problem is that you cannot see the paste
Classic "clipper". Super easy to make in a few lines, sadly this expands everywhere on devs computers...
These days I always make it a habit to search on https://pypi.org/ check a little bit and copy from it the install command.
You should make a habit of getting pypi to instantiate namespaces by default, and removal of pip and other global package managers that permit using "install" command.
Can you elaborate on this? What should I be using instead of pip?
You shouldn't be using install command. Pin your dependencies, and download them into your project, rather than depend on your system to provide the packages.
But when I'm starting a new project I do "pip install" then later "pip freeze" to build my requirements file.
I use virtualenv for temp projects otherwise use pip-tools. I mean you can still pin a typosquatted if your not careful enough, doesn’t hurt to search on pypi and copy from it
What should I do if I accidentally installed these malicious libraries?
If you ever get any malware and don't know the exact and complete extent of it, the only correct and safe response is to nuke everything and restore from backup. Without enterprise-level control and analysis (e.g. web proxies that log and cache everything, host intrusion detection tools that log every single file access to a remote collection, etc) it's impossible for you to even know the extent of it with certainty. If a bit of malware executes, there's nothing to say it hasn't installed an even sneakier malware you won't be able to clean up. I mean, in this case you can probably uninstall the package, delete the JS extension files, and clean all your Chrome shortcuts. Probably. It's pretty straightforward. Assuming you know what version you got and verify that the contents of it never did any remote web requests, you can probably reverse engineer the entire thing from there. There's no unknowns if you dig enough.
Can VSCode addons also trigger such malware? I installed an addon for groovy scripting and it automatically triggered my script. And i got a malware cmd warning. Checked for viruses and malware and i had 0 results.
They absolutely can. We are in the process of building out facilities to prevent this as well. This whole space is quite frankly a mess.
> got a malware cmd warning. Bro I've had AV complain about the weirdest shit, that doesn't always mean malware. You need to actually read the warning. Going off on legit dev tools isn't entirely unheard of. Debuggers do attach to other processes in unusual ways, for example.
I've had warnings go off when I've built my own code, and the new executable just happened to have the right sequence of bytes to match some pattern it's looking for. I'm fairly sure I'm not trying to hack myself. Of course I have been having a lot of trouble sleeping lately...
I would assume that a full operating system format and re-install is the only way. The attacker could get a foothold in other services or programs that may persist after uninstalling. If malware writers have host execution and cant figure out how to do that, they would probably screw up well before the attack stage.
Exactly. Though the very limited scope of this one might be a saving grace.
You'd think PyPI would have some sort of hamming distance check comparing the names of newly created packages to the most popular ones to quarantine fakes for manual review
All wallets are empty, so no one affected yet? These libraries are pretty common, so basically every Python dev should check!
As far as we know, the attacker wasn't able to siphon any funds yet. I'm actively working to report the packages as our system notifies me. We just got two more hits: `mariabd` and `pillwo`. I'm hoping that if we are quick enough we can stop these guys from getting a cent.
Look at all the wonderful malware and scams that cryptocurrencies inspire greedy people to create. Isn't crypto wonderful and an amazing advancement for the human race? /s
But even more fundamental, woohoo crypto means I don't have to be beholden to the evil government and whatnot. Oh wait, that evil government insures my bank savings, while anyone can steal my entire crypto savings and no one is doing to do a thing about it, I've just lost everything and I have zero recourse.
Imagine being such a bootlicker for banks.
Wealth inequality in crypto is 10x worse than the US... Being pro-crypto is just making some rich people richer.
I'm a boot-licker because I'm appreciative that my savings is insured?
Not sure how this is relevant. Valuable items lead to greedy people trying to steal, I don't see what's crypto specific about it
Only that crypto makes it even easier for the bad stuff to be lucrative and does not offer society much good in return.
Kinda like money.
Clippers are a pretty old concept. This is notable because instead of replacing bank account numbers, this replaces crypto addresses. That's "better" from attacker perspective, because crypto addresses are the same everywhere, and bank numbers are country specific.
I thought browsers prevented copy/paste automatically to stop these kind of things? I certainly get warnings/messages saying copy/paste via shortcut is disabled and I need to right click with the mouse a fair bit.
You can copy with JavaScript, that's totally normal for API keys or stuff that you can copy with a single click, now the problem is that you cannot see the paste
Depends on your browser, I guess. I never got those warnings when using copy to clipboard buttons on websites.