Security News > 2022 > June > PyPI package 'keep' mistakenly included a password stealer
PyPI packages 'keep,' 'pyanxdns,' 'api-res-py' were found to be containing a backdoor due to the presence of malicious 'request' dependency within some versions.
PyPI package 'keep' uses malicious 'request'.
Some versions of PyPI packages, 'keep,' 'pyanxdns,' and 'api-res-py' were caught using a malicious dependency, 'request,'.
Back in 2020, Tencent Onion Anti-Intrusion System discovered a malicious typosquat 'request' uploaded to the PyPI registry which impersonated the requests HTTP library but instead dropped malicious info-stealers.
"We found a malicious backdoor in version 1.2 of this project, and its malicious backdoor is the request package. Even if the request package was removed by PyPI, many mirror sites did not completely delete this package, so it could still be installed," writes GitHub user duxinglin1.
Although in this case, the malicious 'request' dependency has long been removed from the PyPI registry, anybody using a vulnerable version of the PyPI packages and relying on a mirror to fetch dependencies can end up with malicious info-stealers on their system.