Khrys

A popular Python library just became a backdoor to your entire machine

https://www.xda-developers.com/popular-python-library-backdoor-machine/

It's one of the most popular Python libraries for interacting with large language models [...] It has over 40,000 stars on GitHub, and it's an important dependency in a lot of AI tooling. It's also been compromised on PyPI, and the malicious versions are stealing everything they can find on your machine.

Sorry but... 🍿

A popular Python library just became a backdoor to your entire machine

Supply chain attacks feel like they're becoming more and more common.

XDA
Mar 24 at 9:21pmWeb
Show threadMay Likes Toronto12h ago
@Khrys Wow. That's a gnarly one. I wonder how bad it is going to hit companies deep in LLM mania.
Show threadG. Wozniak11h ago

@mayintoronto @Khrys I heard some "I hope we're not using this" remarks about this today.

Hope.

Show threadCassandrich11h ago
@gwozniak @mayintoronto @Khrys 🍿🍿🍿
Show threadMark Whybird12h ago
@Khrys Waiting keenly for @simon’s notes on this soonish.
Show threadEpistomai11h ago

@Khrys but... Python library... yay!!!

(obviously sarcastic) 😆

Show threadCassandrich11h ago
@Khrys Wait, what? Python has a place you can install the Python equivalent of LD_PRELOAD code that gets injected into every program, and packages from their package manager can just drop stuff in there? Who came up with that shit and why isn't it fixed??
Show threadDavid Fetter11h ago

@dalias There's a fun story about embedding Python https://www.postgresql.org/docs/current/plpython.html . "meaning it does not offer any way of restricting what users can do in it" is load-bearing.

That it's categorically impossible to prevent Python from doing fopen(), or any other thing, is just wild, and was understood decades back. It's a design feature.

Chapter 44. PL/Python — Python Procedural Language

Chapter 44. PL/Python — Python Procedural Language Table of Contents 44.1. PL/Python Functions 44.2. Data Values 44.2.1. Data Type Mapping 44.2.2. Null, …

PostgreSQL Documentation
Show threadCassandrich11h ago
@davidfetter That's different and expected. It's not an embedded language. But the package manager should not allow a package installed with the intent just to use it in certain programs (which might all run in an isolated privilege domain) to install backdoor code that runs in all Python programs in any privilege domain.
Show threadJoshix8h ago
@dalias @davidfetter a python package, can run arbitrary code on installation. So it's already too late then
Show threadLaíns ⚡🌈🇵🇸11h ago
@dalias @Khrys it's an hook from the 'site' module, which is what implements support for user installable package locations, and can be disabled completely. if your threat model allows malware to be installed to those locations, you are already compromised anyway. the hook isn't great sure — it's an old design that's difficult to replace without major downstream breakage — but there are many other ways you can amplify the attack, regardless.
Show threadLEdoian10h ago

@dalias Oh this is so awesome! Thanks to this I learned that it is possible to Rickroll a Python user (i.e. anyone who launches anything that is run using Python) at very unexpected times just by placing 83 bytes into the right file in the user's home directory.

Yes, this is a horrible misfeature.

@Khrys

Show threadAndrea (Drea) Tamar Pinski11h ago
@Khrys I was looking for this take today though I didn't look hard because I have other things to do. But I definitely need a big bag of 🍿.
Show threadDavid Fetter11h ago
@Khrys much popcorn needed.
Show threadLEdoian11h ago

@Khrys Heh, I wondered when I read about that in oss-security today how many people would be affected. Thanks to you, now I know!

🍿🍿 indeed!

Show threadPēteris Krišjānis10h ago
@Khrys seriously, guys, don't use LLM, it is not worth it. Any savings you imagine are offset by security problems, anxiety, worries of unethical use, e.g.
Show threadell1e coding things8h ago
@peteriskrisjanis @Khrys Even Linux uses it now... https://hachyderm.io/@ell1e/116285351290767548 trying to understand on what grounds the LF thinks this is safe, feel free to jump in or boost.
Show threadJeff McNeill8h ago
@Khrys @pluralistic Many systems have equally enormous attack surfaces, but Python probably stands head and shoulders above, due to ubiquity.
Show threadBrad Howes6h ago
@jeffmcneill @Khrys @pluralistic it is a mad race with Node…
Show threadmtc_uk6h ago
@Khrys
Show threadLe Notaire6h ago
@Khrys For those unwilling to follow clickbaits, the library is #litellm
Show threadBeko Pharm1h ago

@lenotaire @Khrys wtf is clickbait in that? This is a good writeup what is happening, how it is happening, who is targeted, names the affected lib in the very first sentence and shows how to figure out if it is installed.

Yes this is 🍿 but clickbait??

Show threadLe Notaire47m ago
@bekopharm @Khrys The tut said "A popular Python library" and "It's one of the most popular Python libraries for interacting with large language models". No mention at all of "litellm" until opening the link. That's why I called it a clickbait