6 comments

[ 3.6 ms ] story [ 23.4 ms ] thread
These look like really oddball packages that few would consider using.

How many of those 41000 are automatic build systems, mirrors and security scanners?

importantpackage seems like an oddball package to you?!
Since the article doesn’t have this, The names of the packages are:

importantpackage / important-package

pptest

ipboards

owlmoon

DiscordSafety

trrfab

10Cent10 / 10Cent11

yandex-yt

yiffparty

>yiffparty

Time to have a talk with my fellow tech furs again.

> The so-called “dependency confusion attacks” work by uploading malicious packages to public code repositories and giving them names that are identical to legitimate packages stored in the internal repository of Microsoft, Apple, or another large software developer.

This is the key line. These attacks happen at installation specific organizations. The attackers haven't bypassed open source code review.

On this topic, something that drives me nuts about Python packaging is that the name of the top-level import often doesn’t match the name of the package. For example if you see `import yaml` in a Python script, you might try to run `pip3 install yaml`, but no, you should actually run `pip3 install pyyaml`.