Recently we saw an attempt to hide a back door in a code library, and today there is a new case. This time, information security experts found the backdoor in a Python module.
In the SSH Decorator module (ssh-decorate), created by the Israeli developer Uri Goren, which is a library for handling SSH connections from the Python code.
On Monday, a developer noticed that several versions of the SSH Decorate module contained code that collected users’ SSH credentials and sent the data to a remote server located at: http:// ssh-decorate.cf/index.php
The professional said: the Backdoor is the result of a hack. After being questioned, Goren said that the back door was not intentional and that it was the result of an attack.
“My PyPI password has been updated and I have forwarded the package with a new name ssh-decorator”, said the professional. “In the same way we updated the Readme file of the repository, to be sure that the users are also aware of this incident”.
The README file says: We have been informed that previous versions of this module had been hijacked and illegally loaded into PyPi. Be sure to look at the code in this package before using it.
After the incident became a topic of trepidation yesterday, and some people filed some accusations, Goren decided to eliminate the package completely, both from GitHub and from PyPI, Python’s central repo center, information security researchers said.
If you are still using the SH Decorator module (ssh-decorate), the last safe version was 0.27. Versions 0.28 to 0.31 are considered malicious.
This is not the first time that libraries have backdoors and are loaded into central code repositories. The last incident occurred just last week, when the npm team found a cleverly hidden back door that broke through at npm.