Hacker News new | past | comments | ask | show | jobs | submit login

Usually such PyPI packages with malware are typo-squatting other, well-known packages. They count on people making mistakes in their pip command-lines or requirements.txt or whatever. But "secretslib"? It doesn't ring a bell as a typo for anything. Authors also can't be counting on people installing it organically because the package had no long description of what it supposedly pretended to do. So what was the plan here?



I have come across a handful of malicious packages. Based on the reading the code I do not think authors are very professional - looked more of a script kid quality. Maybe there is no plan. Maybe teens are just fooling around.

If you come across a malicious package you can send a take down request at:

https://www.python.org/dev/security/


Money is the plan and fast like a old school bank heist, so I don't think there is much space for QA as well as forward thinking involved.


I expect the plan was to try to introduce it as a dependency in some more widely-used package.


The author might run it himself in some datacentre pipeline? Looks less suspicious with a pip install.


Could it be typosquating a package name that's relatively commonly used in private PyPI mirrors?


Probably allows employees to vampire work computers for their profit.


There is a built in secrets module, iirc.


Possibly they hope to bring it in as a secondary dependency for other libraries, so that it implicitly gets injected into other systems.


Probably as a package in a trojan horse type app. Remember, the who ecosystem is turtles on turtles.




Consider applying for YC's Spring batch! Applications are open till Feb 11.

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: