PyPI removes rogue Python libraries that install backdoors on Linux

Get a free Techzine subscription!

The official Python Package Index (PyPI) has removed three rogue Python libraries. Security company ReversingLabs discovered that the libraries contained a hidden backdoor, which was activated when the libraries were installed on Linux systems.

The three packages – libpeshnx, libpesh and libari – were written by the same user named ruri12, and have been available for download since November 2017, writes ZDNet. ReversingLabs discovered the packages earlier this month. PyPI removed them on July 9, the same day they were notified of the problem.

What exactly the packages had to do – besides infecting systems – is not clear. The packages had no description. However, the PyPI statistics show that they were downloaded regularly. Each library was installed dozens of times a month.

Backdoor

The rogue code was a simple backdoor mechanism that only activated when installed on Linux systems. There is also an installation procedure that makes rear door operation more automated.

According to ReversingLabs, the backdoor is an interactive shell that attackers may have used to connect to the infected computers and execute commands on them.

When ReversingLabs discovered the three libraries, the back door was only active in the libpeshnx library. However, the other two packages do contain references to the rogue function, without any code. So it seems that the creator had removed it or was preparing to roll out the backdoor versions.

Purpose of the user

The user behind the three rogue packages was also the real owner of the account that placed the libraries. Tomislav Pericin, Chief Software Architect and founder of ReversingLabs, states that the account was not compromised.

The user uploaded the packages with the clear aim of misleading developers to use it in their code. Once it was executed, the code could become the source of the burglary.

The rogue libraries were found after the security researchers scanned the entire PyPI repository for suspicious files hidden in Python libraries. These include the PE and EXE formats.

This news article was automatically translated from Dutch to give Techzine.eu a head start. All news articles after September 1, 2019 are written in native English and NOT translated. All our background stories are written in native English as well. For more information read our launch article.