The package was uploaded on December 7, 2017, and 0.1.0 was the only version tested on PyPI.
The package name democritus-csv is similar to a real package name with a similar functionality. In this case, the real package name is democritus-base. It is possible that a user of the real package name could be misled into thinking that the fake package name was real, and therefore install the fake package instead. The fake package was installed on December 20, 2017, and was version 0.1.0. The fake package had the same code as the real package, but also had a backdoor. When running code from the fake package, a malicious actor could execute code of their choosing.
Conclusion: Keep your packages up-to-date
Keeping your packages up-to-date is important in order to avoid being tracked by malicious actors. In this case, the fake package was installed on December 20 and had a backdoor designed to track user activity. This allows the creator of the package to extract data from user systems and send it back to them.
Vulnerable Code:
The vulnerability is in the following code:
if not os.path.exists(sys.argv[0]):
print("PyPI package not found")
return 1
Installing democritus-csv
Democritus-csv was uploaded on December 7, 2017. It was a version 0.1.0 when it was uploaded, but a malicious actor could have uploaded a later version of the package with a backdoor.
The package name democritus-csv is similar to a real package name with a similar functionality. In this case, the real package name is democritus-base. It is possible that a user of the real package name could be misled into thinking that the fake package name was real, and therefore install the fake package instead. The fake package was installed on December 20, 2017, and was version 0.1.0. The fake package had the same code as the real package, but also had a backdoor. When running code from the fake package, a malicious actor could execute code of their choosing.
Timeline
Published on: 10/11/2022 22:15:00 UTC
Last modified on: 10/13/2022 02:36:00 UTC