0x40kMar 15, 2025

Hey everyone, does this sound familiar? You install a Python package and suddenly feel like you've been robbed blind? 😂

Right now, there's a nasty campaign going on targeting PyPI, and it's misusing "time" utilities to swipe cloud credentials. Get this – it's already had over 14,000 downloads! The malware hides in packages that are *supposed* to just check the time. But instead, they're snatching cloud keys (AWS, Azure, the works) and sending them straight to the bad guys.

Honestly, it reminds me of a pentest we did where we *almost* missed a similar camouflage trick. Seriously creepy! So, heads up: Double-check your dependencies, run those scans, review your cloud configurations, and above all, be suspicious! And hey, just a friendly reminder: automated scans are no substitute for a manual pentest!

Have you run into anything similar? What tools are you using to beef up your security? Let's chat about it!

#infosec #pentest #python #pypi #malware #cloudsecurity

Show threadsysosmasterMar 15, 2025

@0x40k why pypi still hasn’t “fixed” their processes so you can both: not just download unchecked packages and verify who uploaded and wrote (signed) the code/commit is beyond me.

Aside from that it is long overdue that we start taking “supply chain attacks” seriously…

Or this is only going to get worse.

Show threadHugo van Kemenade

@sysosmaster @0x40k

Trusted Publishing gives provenance of which repo the files were uploaded from, the workflow file, and commit. For example:

https://pypi.org/project/urllib3/2.3.0/#urllib3-2.3.0-py3-none-any.whl

Downstream verification for installers such as pip is the next step:

https://blog.trailofbits.com/2024/11/14/attestations-a-new-generation-of-signatures-on-pypi/

#python #PEP740 #PyPI #TrustedPublishing

urllib3

HTTP library with thread-safe connection pooling, file post, and more.

PyPI
Mar 21, 2025 at 12:51pmWeb