pycryptodome icon indicating copy to clipboard operation
pycryptodome copied to clipboard
verified publisher icon Legrandin

How to ensure that the pycryptodome library is secure and does not send passwords to the backend

Open Morishima-Hodaka opened this issue 1 year ago • 1 comments

How to ensure that the pycryptodome library is secure and does not send passwords to the backend

Recently (April 25, 2024), the Xuanjing Supply Chain Security Intelligence Center captured a CStealer secret-stealing backdoor poisoning incident in the Pypi official warehouse (https://pypi.org/). The poisoner released 6 different versions of the malicious Py package multiplerequests in succession, targeting Python developers on the Windows platform. When the malicious package is installed, it will remotely load the CStealer backdoor to the victim's system for execution. The backdoor will steal the victim's system sensitive information, mainstream browser privacy data, digital currency wallet application data, and system screenshots, etc. In addition, the backdoor will also try to reside in the Windows system startup directory to achieve self-startup at boot.

Morishima-Hodaka avatar Jul 16 '24 08:07 Morishima-Hodaka

What you are referring to has nothing to do with pycryptodome security. Pypi is a repository for python package where everyone can publish and download packages. Here, some malicious packages has been spotted and removed from the platform. They played with the fact that people can misspelled packages name and download the wrong one. In this case the packages name was "multiplerequests" which is very closed to "requests" or "multiprocessing" and people can make a mistake.

Pycryptdome is open-source, if you want to verify the security of it, just check the code by yourself. And if you want to be sure that you downloaded the right package, verify the hash footprint which is the way to verify the code authenticity and integrity.

Bl4omArchie avatar Jul 21 '24 23:07 Bl4omArchie

Indeed, as with any other open source library, the best option is to download the code, inspect and build it yourself on machines you trust. If you download the code from gihub, you can at least verify that the release ZIP file is signed with the same PGP key that signed any other ZIP file in the past (this would only prove that github or the credentials to access github were not compromised).

And, again as with any other library hosted on PyPI, if you download wheels from PyPI (besides the real problem of typosquatting), you trust PyPI from not being compromised (their "Trusted Publisher" initiative does not help, despite the name), no matter what github or the original source code contains.

Legrandin avatar Mar 16 '25 08:03 Legrandin