- https://github.com/pyupio/safety-db and https://pyup.io/
- safety package: Safety checks your installed dependencies for known security vulnerabilities.
- Verifying PyPI and Conda Packages by Stuart Mumford (2016-06-21)
- Sign a package using GPG and Twine
- PEP 458 -- Surviving a Compromise of PyPI (27-Sep-2013)
- PEP 480 -- Surviving a Compromise of PyPI: The Maximum Security Model (8-Oct-2014)
- Making PyPI security independent of SSL/TLS by Nick Coghlan
.. toctree:: :maxdepth: 1 pypi-vuln/index-2017-10-12-unchecked_file_deletion.rst pypi-vuln/index-2017-11-08-pypirc_exposure_on_github.rst pypi-vuln/index-2020-01-05-authentication_method_flaws.rst pypi-vuln/index-2020-02-22-upload_endpoint_csrf.rst pypi-vuln/index-2021-06-15-unintended-deployments.rst pypi-vuln/index-2021-07-26-legacy-document-deletion.rst pypi-vuln/index-2021-07-27-combine-prs-workflow.rst pypi-vuln/index-2021-07-27-role-deletion.rst pypi-vuln/index-2022-05-24-ctx-domain-takeover.rst
- Typosquatting programming language package managers by Nikolai Tschacher (8 June, 2016)
- LWN: Typosquatting in package repositories (July 20, 2016)
- Building a botnet on PyPi by Steve Stagg (May 19, 2017)
- warehouse bug (pypi.org): Block package names that conflict with core libraries (reported at June 28, 2017)
- 2017-09-09: skcsirt-sa-20170909-pypi-malicious-code advisory
fate0:
- 2017-05-27 04:38 - 2017-05-31 12:24 (5 days): 10,685 downloads
- May-June, 2017
- https://mail.python.org/pipermail/distutils-sig/2017-June/030592.html
- http://blog.fatezero.org/2017/06/01/package-fishing/
- pypi/legacy#644
- http://evilpackage.fatezero.org/
- https://github.com/fate0/cookiecutter-evilpy-package
- Packages (this list needs to be validated):
- caffe
- ffmpeg
- ftp
- git
- hbase
- memcached
- mkl
- mongodb
- opencv
- openssl
- phantomjs
- proxy
- pygpu
- python-dev
- rabbitmq
- requirement.txt
- requirements.txt
- rrequirements.txt
- samba
- shadowsock
- smb
- tkinter
- vtk
- youtube-dl
- zookeeper
- ztz
- ...
Example of typos:
urllib,urllib2: part of the standard libraryurlib3instead ofurllib3
- The Update Framework (TUF): Like the S in HTTPS, a plug-and-play library for securing a software updater.