I am crawling all the packages on and I'm seeing some weird stuff 😅 Past the dumb names, I have found a ZIP that's actually an SVG, bad unicode, XSS attempts, DOCX papers...

@remram44 Do you do automated analysis to find oddities? Would be interested to run those scripts myself... I was also thinking about installing all python packages in a sandbox to automagically analyze if they to bad stuff such as making themselves auto-run, reading your .ssh or .gnupg folder...

Would also be helpful to check a package before blindly installing it.

@balu All I do is unzip the archives to build a database of files. I didn't try to install or run them.
Finding such issues automatically would probably be very difficult...

@remram44 Ok. Would be interesting to use some dynamic analysis techniques as they are used for malware analysis. Yes, I guess this won't be an afternoon project. But it would be helpful to detect malicious pip packages (which I heard that they exist).

@remram44 Item 5 in the latest Python Bites discusses updates to PyPi and expressed incredulity that it had not been hit by worse exploits by now given the lack of protection.

@krozruch I didn't know about this podcast! I don't like it :/ but thanks for pointing it out!

@remram44 :D It is fairly standard corporate fare, but gives me a couple of pointers here and there.

Inscrivez-vous pour prendre part à la conversation

Framapiaf est un service de microblog similaire à Twitter. Il est libre, décentralisé et fédéré. Il permet de courts messages (max. 500 caractères), de définir leur degré de confidentialité et de suivre les membres du réseau sans publicité ni pistage.