mirror of
https://gitlab.com/free_zed/free_zed.gitlab.io.git
synced 2024-06-01 22:02:28 +00:00
✨ Add pip install malware notes
This commit is contained in:
parent
29169d8f73
commit
e9d0881e6a
59
content/pyconfr-2023-pip-install-malware.md
Normal file
59
content/pyconfr-2023-pip-install-malware.md
Normal file
|
@ -0,0 +1,59 @@
|
|||
Title: pip install malware
|
||||
Date: 2023-02-19 14:01
|
||||
Summary: SUMMARY
|
||||
Category: Bloc-notes
|
||||
Tags: live-notes, pyconfr, talk, bordeaux, python, TAG1, TAG2
|
||||
Status: published
|
||||
|
||||
Par **[Max Kahan][author]** − Salle [Rosalind Franklin][rfranklin]
|
||||
|
||||
|
||||
### [pip install malware][abstract]
|
||||
|
||||
[![logo PyConFr Bordeaux 2023][pyconimg]][pyconfr]
|
||||
|
||||
> pip install malware: it’s that easy. Almost all projects depend on external packages, but did you know how easy it can be to install something nasty instead of the dependency you want? I'll be showing this live, as I make malware and infect my own computer with it during the talk!
|
||||
>
|
||||
> You might remember classic typosquatting examples like goggle.com, but it’s now common to see malicious code hidden in spoofed or otherwise fraudulent PyPI packages or nested dependencies. Malware developers can also use techniques like starjacking to appear legitimate, so these unpleasant packages become even more difficult to spot. It’s estimated that over 3% of packages on PyPI could be using this technique.
|
||||
>
|
||||
> By the end of this talk, you’ll know how to protect yourself when installing and updating dependencies and you’ll leave with a checklist to follow to help you stay safe in future.
|
||||
|
||||
_[Support][support]_
|
||||
|
||||
---
|
||||
|
||||
Notes personnelles
|
||||
==================
|
||||
|
||||
* disclamer
|
||||
- malware evolve
|
||||
- not a security talk
|
||||
* cost of malware
|
||||
- 4.06 M€ cost of malware
|
||||
- 19% are from
|
||||
* developers are now a target
|
||||
* PyPI risk
|
||||
- typo squatting
|
||||
* estimated typosquatted package on PyPI: 3%
|
||||
* downloaded estimated 0.5%
|
||||
* real malware targetting `requests`
|
||||
- `rrequests`, `_equests`, …
|
||||
* `pycurl` -> `libcurl`
|
||||
* dot-env
|
||||
- repo change for a malicious mainten€r
|
||||
- starjacking
|
||||
* malwar shows lots of popularity on github
|
||||
* **DEMO** Do not install this: https://pypi.org/project/not-the-vonage-python-sdk/
|
||||
* What ca I do
|
||||
- consider defensing typosquatting
|
||||
- preempt you package typo errors
|
||||
- do no type package name, use config files
|
||||
- use scanning tools
|
||||
|
||||
|
||||
[abstract]: https://www.pycon.fr/2023/fr/talks/30m.html#pip-install-malware
|
||||
[author]: https://uk.linkedin.com/in/maxkahan
|
||||
[pyconfr]: https://www.pycon.fr/2023/
|
||||
[pyconimg]: {static}/img/200-pycon-fr-23.png
|
||||
[rfranklin]: https://fr.wikipedia.org/wiki/Rosalind_Franklin
|
||||
[support]: https://
|
Loading…
Reference in New Issue
Block a user