PyPI Typosquatting

typosquatting_pip

Severity

high

Family

Typosquatting

Description

It occurs when the attacker creates a package with a group or name similar to a popular, inducing users to install this package inadvertently. This attack strategy is generic and often used with different build managers, including PyPI.

Security

If the project has the malicious dependency then the code written by the attacker could be executed.

Even the package may contain the same functionality as the original and thus go unnoticed and end up running in a production environment.

Examples

setup.py

...
    install_requires=[
        'portal-address',
        'launchpadlib',
        'keras_contrib==2.0.8@https://github.com/keras-team/keras-contrib/tarball/master#egg=keras_contrib-2.0.8'
    ],
...

The portal-address package does not exist. The popular package is postal-address.

Mitigation / Fix

Choose the right dependency and be careful when adding new ones.

This tool proposes a popular package to replace the malicious one when it finds such misconfiguration.