Python Security alert for python libraries

Click For Summary
SUMMARY

The discussion centers on a security alert regarding fake Python libraries that contain "malicious (but relatively benign) code," as highlighted in the alert from the National Security Authority of the Slovak Republic. Users are advised to install Python modules exclusively from their Linux distribution's repository to mitigate risks associated with these malicious packages. This approach ensures that any packages have undergone vetting and testing by repository maintainers, providing an additional layer of security. The alert has prompted organizations to review their installations for potentially infected packages using provided scripts.

PREREQUISITES
  • Understanding of Python package management
  • Familiarity with Linux distributions and their repositories
  • Knowledge of security best practices in software installation
  • Ability to use scripts for package verification
NEXT STEPS
  • Research the implications of using Python libraries from PyPI versus Linux repositories
  • Learn about tools for verifying package integrity in Linux
  • Explore security practices for managing Python environments
  • Investigate the latest updates on Python security vulnerabilities
USEFUL FOR

Software developers, system administrators, and security professionals who are involved in Python development and package management will benefit from this discussion.

Stephen Tashi
Science Advisor
Homework Helper
Education Advisor
Messages
7,864
Reaction score
1,602
  • Like
Likes Borg and FactChecker
Technology news on Phys.org
This seems like a good argument for using Linux. I install all the python modules I need from my Linux distro's repository. So fake packages would have had to get by the vetting and testing of the repository's maintainer. That's an added level of security.
 
Stephen Tashi said:
This security alert
http://www.nbu.gov.sk/skcsirt-sa-20170909-pypi/
warns against fake python libraries: containing "malicious (but relatively benign) code".
I just saw this today. A corporate email went out in my office a couple of weeks ago about this and we've been checking all of our installations for the infected packages using the scripts in your link.
 

Similar threads

Python Is Turtle a Module or Library in Python?
  • · Replies 2 ·
Replies
2
Views
2K
Python Understanding Python Module Installation with Pip
  • · Replies 8 ·
Replies
8
Views
2K
Python Re: Python’s Sympy Module and the Cayley-Hamilton Theorem
  • · Replies 3 ·
Replies
3
Views
1K
Trying to run a big python job with AWS (EC2), is there a better way?
  • · Replies 7 ·
Replies
7
Views
2K
Python Building a Solar System simulation with python
  • · Replies 2 ·
Replies
2
Views
4K
Python Python DEAP Library -- List index out of range error
  • · Replies 6 ·
Replies
6
Views
4K
Requesting suggestions for languages, libraries, and architectures for parallel (and sometimes non parallel) numerical and scientific computations
  • · Replies 8 ·
Replies
8
Views
4K
Do you want to build a website?
  • · Replies 15 ·
Replies
15
Views
3K
Implementing secure login with Swift and a PHP API
  • · Replies 13 ·
Replies
13
Views
2K
I am getting an error Import "_frozen_importlib" could not be resolved
  • · Replies 5 ·
Replies
5
Views
15K