Security News > 2021 > March > Poison packages – “Supply Chain Risks” user hits Python community with 4000 fake modules
If you suddenly realise you want to use Python module called asteroid, for example, you can just do pip install asteroid, after which your own Python programs can say import asteroid, and start making use of the package.
A third sort of supply chain attack - one that is rather less sophisticated and has no guarantee of success, yet is extremely easy to pull off - is to create a fake package with a misleading name that users in a hurry might download and install by mistake.
As far as we are aware, none of these fake packages contained outright malware, or indeed any permanent package code at all.
Fascinatingly, if rather pointlessly, this user didn't just upload the five fake libraries listed above, but a grand total, according to the Wayback Machine, of 3951 utterly bogus PyPI packages.
We haven't been able to figure out where or how our mystery Supply Chain Risks user generated their list of fake package names, but perhaps just having a small number of "Real-looking" typosquat fakes amonst the vast sea of bogus and even ludicrous ones was part of the plan?
If you are using Python packages that you haven't published externally, then the one thing you can be sure of is that all external copies of "Your" package are imposter modules, probably malware.