Post Syndicated from corbet original http://lwn.net/Articles/690605/rss
Nikolai Tschacher demonstrates
how easy it is to run arbitrary code by way of “typosquatting” uploads
to programming language download sites. “Because everybody can
upload any package on PyPi, it is possible to create packages which are
typo versions of popular packages that are prone to be mistyped. And if
somebody unintentionally installs such a package, the next question comes
intuitively: Is it possible to run arbitrary code and take over the
computer during the installation process of a package?” He tried an
experiment and was able to run a little program that phoned home from
thousands of systems.