Malicious packages mitmproxy2 and mitmproxy-iframe removed from PyPI directory

Pinterest LinkedIn Tumblr

The author of mitmproxy , a tool for analyzing HTTP / HTTPS traffic, drew attention to the appearance of a fork of his project in the Python Package Index (PyPI) directory. The fork was distributed under the similar name mitmproxy2 and the non-existent version 8.0.1 (current release of mitmproxy 7.0.4) with the expectation that inattentive users will perceive the package as a new version of the main project ( typesquatting ) and wish to try the new version.

In terms of its composition, mitmproxy2 was similar to mitmproxy, with the exception of changes in the implementation of malicious functionality. The changes were reduced to the termination of setting the HTTP header ” X-Frame-Options: DENY “, which prohibits the processing of content inside the iframe, disabling protection against XSRF attacks and setting the headers ” Access-Control-Allow-Origin: * “, ” Access-Control- Allow-Headers: * “and” Access-Control-Allow-Methods: POST, GET, DELETE, OPTIONS “.

These changes removed the restrictions on access to the HTTP API used to control mitmproxy via the Web interface, which allowed any attacker located on the same local network to organize the execution of their code on the user’s system by sending an HTTP request.

The directory administration agreed that the changes made can be interpreted as malicious, and the package itself as an attempt to promote another product under the guise of the main project (the package description stated that this is a new version of mitmproxy, not a fork). After removing the package from the directory the next day, a new package mitmproxy-iframe was posted to PyPI , the description of which also completely coincided with the official package . The mitmproxy-iframe package has now been removed from the PyPI directory as well.

Write A Comment