Search results
Nov 17, 2023 · The 27 packages, which masqueraded as popular legitimate Python libraries, attracted thousands of downloads, Checkmarx said in a new report. A majority of the downloads originated from the U.S., China, France, Hong Kong, Germany, Russia, Ireland, Singapore, the U.K., and Japan. "A defining characteristic of this attack was the utilization of ...
There are actually three different ways to define a module in Python: A module can be written in Python itself. A module can be written in C and loaded dynamically at run-time, like the re ( regular expression) module. A built-in module is intrinsically contained in the interpreter, like the itertools module.
People also ask
What is a Python package?
Which Python package should I Choose?
Where do Python packages come from?
How do I create a Python package?
- How to Find Malicious Libraries
- Getting Python Packages
- The Results
- Interesting Packages
- What Happens When We Find A Malicious Package?
- Moving Forward
To run arbitrary commands during installation, authors typically add code to the setup.py file in their package. You can see some examples in this repository. At a high-level, there are two things you can do to find potentially malicious dependencies: you can look through the code for bad things (static analysis), or you can live dangerously and ju...
Fortunately for us, PyPI has an API called the “Simple API”that can also be thought of as “a very big HTML page with a link to every package” since that’s what it is. It’s simple, clean, and better than any HTML I can probably write. We can grab this page and parse out all the links using pup, giving us right around 268,000 packages: For this exper...
Once this was complete, I had about a terabyte of data sitting in an S3 bucket covering around 245,000 packages. A few packages didn’t have a published version, and some had various processing errors but this felt like a great sample set to work from. Now for the fun part: a crapton of grep ✨ analysis✨. I merged the metata and the output, giving me...
Digging into the results, most network connections and commands appeared to be legitimate, as expected. But there were a few instances of odd behavior I wanted to call out as case studies to show how useful this type of analysis can be.
It’s worth briefly discussing what we can do when we find a malicious package. The first thing to do would be to alert the PyPI volunteers so they can take down the package. This can be done by contacting security@python.org.1 After that, we can look at how many times the package has been downloaded using the PyPI public dataseton BigQuery. Here’s ...
This first pass was just taking an initial look at PyPI as a whole. Looking through the data, I didn’t find any packages doing significantly harmful activity that didn’t also have “malicious” somewhere in the name, which was good! But it’s always possible I missed something, or that it would happen in the future. If you’re interested in digging int...
- NumPy. NumPy is the primary tool for scientific computing in Python. It combines the flexibility and simplicity of Python with the speed of languages like C and Fortran.
- pandas. If you work with tabular, time series, or matrix data, pandas is your go-to Python package. It is known as a fast, efficient, and easy-to-use tool for data analysis and manipulation.
- Matplotlib. Matplotlib is the most common data exploration and visualization library. You can use it to create basic graphs like line plots, histograms, scatter plots, bar charts, and pie charts.
- Seaborn. Seaborn is a high-level interface for drawing attractive statistical graphics with just a few lines of code. Let's see it in action. We'll use the famous iris flower dataset in our example.
- pudb for Visual Debugging. Christopher Trudeau is an author and course creator at Real Python. At work he’s a consultant who helps organizations improve their technical teams.
- requests for Interacting With the Web. Martin Breuss is an author and course creator at Real Python. He works as a programming educator at CodingNomads, where he teaches bootcamps and online courses.
- parse for Matching Strings. Geir Arne Hjelle is an author and reviewer at Real Python. He works as a data science consultant in Oslo, Norway, and is particularly happy when his analysis involves maps and images.
- dateutil for Working With Dates and Times. Bryan Weber is an author and reviewer for Real Python and a professor in mechanical engineering. When not writing Python or teaching, he can most likely be found cooking, playing with his family, or going for a hike, and on good days, all three.
3 days ago · Here’s a basic code sample demonstrating how to create a simple Python package: Create a directory named mypackage. Inside mypackage, create two Python files: module1.py and module2.py. Create an __init__.py file inside mypackage (it can be empty). Add some code to the modules.
The per user site-packages directory is where Python installs your local packages: python -m site --user-site If this points to a non-existing directory check the exit status of Python and see python -m site --help for explanations. Hint: Running pip list --user or pip freeze --user gives you a list of all installed per user site-packages.
