Malicious Python Packages Uploaded Data to Publicly Exposed Endpoints
Sonatype detected several malicious Python packages on the PyPI repository that have been stealing sensitive information, including AWS credentials, and uploading it to publicly exposed endpoints. Sonatype has reported the malicious packages to PyPI; the packages have been removed from the repository.
Another day, another malicious Python package. Sonatype is making a good case for not only scanning code you write, but also scanning code you are using from repositories like PyPi.
A reminder to not just trust modules provided externally. Make sure that you're using the version you've qualified versus an imposter with “added functionality.” Even so, you're doing static and dynamic code analysis, right? Consider limiting outbound connections to prevent connection to C2 services.
Developers are reminded that they are responsible for the quality of all code that they include or distribute in their products, regardless of its source.