pypi-library-poison

this is not just related to bug bounty, this attack can also be used in red team.

step by step to publish your library

1. register your pypi account https://pypi.org/
2. tree example-pypi

setup.py
example-pypi
    __init__.py

setup.py example

#!/usr/bin/env python
# coding: utf-8

from setuptools import setup

#your evil code can put here


setup(
    name='example-pypi',
    version='1.0.1',
    author='admin',
    author_email='admin@example.com',
    url='https://www.google.com',
    description='example-pypi',
    packages=['example-pypi'],
    install_requires=['requests'],
    license='MIT'
)

you can get the setup example from
https://github.com/kennethreitz/setup.py

evil demo code
https://github.com/fate0/cookiecutter-evilpy-package/

python setup.py check

python setup.py bdist_wheel --universal

pip install twine

twine upload -u your_pypi_username -p 'your_pypi_password' dist/*

reference

• https://medium.com/@alex.birsan/dependency-confusion-4a5d60fec610
• https://hackerone.com/reports/946409
• https://my.oschina.net/u/4579562/blog/4750657
• http://blog.fatezero.org/2017/06/01/package-fishing/