The PyPI repository has eliminated a Python bundle referred to as ‘mitmproxy2’ that was an similar copy of the official “mitmproxy” library, however with an “artificially launched” code execution vulnerability.
The official ‘mitmproxy’ Python library is a free and open-source interactive HTTPS proxy with over 40,000 weekly downloads.
Copycat bundle might trick devs into falling for ‘newer’ model
Yesterday, Maximilian Hils, who is without doubt one of the builders behind the ‘mitmproxy’ Python library drew everybody’s consideration in the direction of a counterfeit ‘mitmproxy2’ bundle uploaded to PyPI.
‘mitmproxy2’ is basically “the identical as common mitmproxy however with a man-made RCE vulnerability included.”
The extra well-liked you get, the extra shit you entice: Somebody uploaded “mitmproxy2” to @PyPI, which is similar as common mitmproxy however with a man-made RCE vulnerability included.
— Maximilian Hils (@maximilianhils) October 11, 2021
Hils’ predominant concern, as he describes to BleepingComputer, was that some software program builders may mistake ‘mitmproxy2’ as a more moderen model” of ‘mitmproxy’ and inadvertently introduce insecure code of their apps.
Hils discovered this copycat bundle in what he calls a “pleased little accident” whereas trying into an unrelated PyPI warehouse issue.
On analyzing the variations between ‘mitmproxy2’ and his ‘mitmproxy,’ something important stood out. The previous had all safeguards faraway from the API:
“While you run mitmproxy’s internet interface, we expose an HTTP API for that. For those who take away all safeguards from that API, everybody on the identical community can execute code in your machine with a single HTTP request,” Hils advised BleepingComputer in an e-mail interview.
It is not clear both if the person who revealed the copycat ‘mitmproxy2’ bundle did so with willful malicious intent or simply out of insecure coding practices.
“To be clear, this actually is not probably the most malicious factor an attacker might do. It will be far more simple to only add some malicious code that will get executed on set up straight away.”
“The issue is in fact when you add that to PyPI as ‘mitmproxy2’ with a model quantity that signifies it is newer/a successor, individuals will inevitably obtain that not figuring out in regards to the adjustments.”
Hils thanked PyPI volunteers for swiftly reacting to this report. Inside 4 hours of Hils’ tweet ‘mitmproxy2’ was taken down.
Whack-a-mole: one other copycat seems hours later
Whereas analyzing ‘mitmproxy2’, BleepingComputer found one other bundle ‘mitmproxy-iframe‘ had appeared on the PyPI registry, lower than a day after ‘mitmproxy2’ was eliminated.
As soon as once more, this bundle is a precise duplicate of the official mitmproxy, however with the aforementioned safeguards faraway from the “app.py” file, as seen by BleepingComputer.
Apparently, mitmproxy-iframe is additionally revealed by the identical person who’s behind ‘mitmproxy2’, now casting doubts on what the person’s intentions are:
As a result of anybody can publish packages to open-source ecosystems, safety threats and assaults like malware injection, typosquatting, brandjacking, and dependency confusion have elevated quickly in latest occasions.
Until concrete validations are put in place by open-source registries, these “whack-a-mole” conditions are certain to repeat themselves.
BleepingComputer notified PyPI of the ‘mitmproxy-iframe’ bundle previous to publishing and the bundle was taken down.