Article from https://hackaday.com/2018/10/31/
when-good-software-goes-bad-malware-in-open-source/
Open Source software is always trustworthy, right? Bertus broke a story
about a malicious Python package called Colourama. When used, it secretly
installs a VBscript that watches the system clipboard for a Bitcoin address,
and replaces that address with a hardcoded one. Essentially this plugin
attempts to redirects Bitcoin payments to whoever wrote the colourama
library.
Why would anyone install this thing? There is a legitimate package named
Colorama that takes ANSI color commands, and translates them to the Windows
terminal. Its a fairly popular library, but more importantly, the name
contains a word with multiple spellings. If you ask a friend to recommend a
color library and she says coulourama with a British accent, you might
just spell it that way. So the attack is simple: copy the original projects
code into a new misspelled project, and add a nasty surprise.
Sneaking malicious software into existing codebases isnt new, and this
particular cheap and easy attack vector has a name: typo-squatting. But
how did this package get hosted on PyPi, the main source of community
contributed goodness for Python? How many of you have downloaded packages
from PyPi without looking through all of the source? pip install colorama?
Wed guess that its nearly all of us who use Python.
Its not just Python, either. A similar issue was found on the NPM javascript
repository in 2017. A user submitted a handful of new packages, all
typo-squatting on existing, popular packages. Each package contained
malicious code that grabbed environment variables and uploaded them to the
author. How many web devs installed these packages in a hurry?