Malicious PyPI Packages

It was a matter of time. After the npm-repository was hit later last year and ruby gems were found mining crypto-currency, this times it’s PyPI that spreads bad code. Supply chain attacks, as this vector is typically referred to, becomes an increasing problem. Foremost for software vendors.

The rich supply of community maintained packages make particular languages attractive to businesses. Plenty of ready made packages allow to rapidly build the most important components required to bootstrap any SaaS business. Authentication, database connectivity, model view abstraction layers, web request routing, html templating, it all can be found in either of these, at no added cost.

However, nothing in life is free and the price vendors pay is the added risk of unvalidated or unverified sources.

X-No-Wiretap

X-No-Wiretap

X-No-WiretapIn Zeiten von wirklich absoluter Überwachung durch NSA, GCHQ, vermutlich ein bisschen BND und wassweiswemnoch, wird es Zeit für radikale Ideen. So könnte man zum Beispiel einfach in den Request-Header schreiben, dass man das nicht will. Das ist sicher genauso erfolgreich wie der “Do Not Track” Header oder das IPv$ Security Flag. Vielleicht interessiert das ja die eher konservativen unter den Internetteilnehmern.

Im Detail kann man das mal hier nachlesen: X-No-Wiretap.

via slashdot.