-
Notifications
You must be signed in to change notification settings - Fork 150
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Risk of pip Typosquatting attack #468
Comments
@SlugFiller for visibility (author of document) |
The correct list of packages appears in the main page, here. Copy and pasting it on every document, and keeping all the copies up to date, would be both redundant and difficult (and also error-prone). Also, I recall there was a discussion about it, and most of the packages appear in both forms. I should also mention that typosquatting is not the only form supply chain attack possible. Besides, the entire model of hardware wallets is to assume a compromised computer. If a malicious package tries something funny, you have your device to protect you. |
NOTE: This repository lacks a security.md file. It is highly suggested to create and detail one, detailed here
Issue Summary:
A lack of naming consistency and a lack authoritative documentation of pip packages for devices and agents generates a risk of typosquatting attacks
A malicious actor may create an alternative python package and take advantage of individuals who mistype or are tricked into using a malicious yet functionally identical pip package
Evidence
https://github.com/romanz/trezor-agent/blob/master/doc/README-Windows.md#2-install-the-agent
Minimum Determined Fix(s)
The text was updated successfully, but these errors were encountered: