🔍
CSAPP
  • 🔍CSAPP
  • Overview
    • 💡Why??
    • ✨Features
      • ⛏️pypi_data_harvest.py
      • 🗃️pypi_package_validator.py
      • 🎯audit_pypi_info_db.py
  • Fundamentals
    • 🛠️Getting set up
  • Web App Walkthrough
    • 🏠Homepage
    • 🧐Explore Page
  • Threat Hunting
    • 📔PyPI's Terms of Use
    • ❔Useful SQL Queries
    • 🕵️‍♂️Analyzing A Python Package
    • 👾Malicious Package Techniques
    • 🎯Hunting Tips
Powered by GitBook
On this page

Last updated 1 year ago

CSAPP currently does not have code analysis features, therefore you will most likely find name or typo squatting packages.

Package Name and Project Description

When reviewing a package, start by analyzing the name and project description. Ask yourself, is this package pretending to be something its not? Is the package trying to imitate an already existing popular package?

Project Links

Review the project links and check out the Github. Popular packages always list the official PyPI package name on it's Github, ensure the package name you are analyzing is spelled the same as in the Github.

Maintainers

Malicious packages will most likely only have one maintainer listed on PyPI. Review the listed maintainer's PyPI account. If the account was made recently, this indicates a possible throw away account was made for the malicious package upload. If the account has no previous package history on PyPI, then this is another indicator of a throw away account.

Code Analysis

Never pip install a potential malicious package

Use PyPI's to quickly review the following files for malware:

  • setup.py

  • __init__.py

Depending on the number of files in the package, you can continue to use the .

Analyzing Large Packages

Analyzing a Package Imitating Another Package

Adversaries will download a popular Python package, add malicious code, and reupload the package under a similar name. In this scenario, you will want to use software capable of performing a diff on files within two directories to quickly find the malicious code.

Start by downloading the legitimate package, then download the malicious package. Load each package's parent directory into your diff software to find the differences between the two packages.

If no malicious code is found, then consider informing the development team of the legitimate package about the copy cat package.

  • You can leave the decision to report the copy cat package in the hands of the development team. Popular packages on PyPI typically leave an email under the Author field for contact.

If a package contains many files, then it can become tedious to use the .

Download the package using PyPI's "Download Files" button and select the tar.gz archive. You can then decompress the archive and analyze the files within VSCode using .

On Windows, you can use free software to achieve this.

If you do find malware, then report the package to .

Inspector tool
Inspector tool
Inspector tool
Restricted Mode
WinMerge
  • Package Name and Project Description
  • Project Links
  • Maintainers
  • Code Analysis
  • Analyzing Large Packages
  • Analyzing a Package Imitating Another Package
PyPI's security team
PreviousUseful SQL QueriesNextMalicious Package Techniques
  1. Threat Hunting

🕵️‍♂️Analyzing A Python Package

How to analyze a potential malicious package