Arbitrary Code Execution During Python Package Installation
Why Typosquatting is a Threat to Python Developers and their Companies
The Setup
Imagine this, you’re a developer at Super corp. You’re working on a new web application and you’re planning on building it using Flask. Like many Macbook Pros, your laptop has some keyboard issues. No biggie. Typing like the wind, you try to install flask
using pip. However, instead of typing pip install flask
you end up with pip install flaskk
.
The install completes in just a second, but you notice the typo. You uninstall flaskk
and give the install a second try with the appropriate number of k’s. Everything looks good and you make some solid progress setting up the bones of a new flask
application before calling it a night.
The next day, you log onto Slack and hear the news; your company had a security breach. Attackers managed to access several AWS S3 buckets with sensitive customer data and to add insult to injury, deployed crypto miners on a large number of EC2 instances, racking up a few thousand in AWS charges overnight.
The security team is baffled. What happened?