![]() Malicious package downloads over the past year from PyPI using pip Infesting PyPI Over the past year, victims downloaded these files more than 10,000 times see Figure 1. Some package names do look similar to other, legitimate packages, but we believe the main way they are installed by potential victims isn’t via typosquatting, but social engineering, where victims are walked through running pip install to be able to use the “interesting” package for whatever reason. We found 116 files (source distributions and wheels) from 53 projects containing malware. Since anyone can contribute to the repository, malware – sometimes posing as legitimate, popular code libraries – can appear there. PyPI is popular among Python programmers for sharing and downloading code.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |