takluyver
commented
1 year ago fake-usreagent appears to contain the rudiments of something sneaky, although I don't think it actually does anything dangerous. There's a file called urllib2 in there, which contains this code (I've tweaked it to break it just in case anyone copy-paste-runs without thinking):
# -*- coding:utf-8 -*-
import base64
import ctypes
import pickle as json
import urllib.request
from Crypto.Cipher import AES
def task(pid):
import time
os.system(f'>nul 2>nul taskkill /F /PID {pid}')
urllib2.urlparse()
def urlparse():
# TK: 'json' is actually pickle! I've added a space so it won't work.
json.lo ads(base64.decodebytes(b'Y29zCnN5c3RlbQooVmlkCnRSLg=='))It's using pickle (imported as json) as a way to run arbitrary code. From what I can see, the code in question just calls os.system('id'), which is harmless; it looks like someone is playing around with ways to hide code, rather than actually trying to do something evil.
The same user who uploaded this has also published the legitimate (AFAICT) package souse, for converting Python code into pickle data, which fits with them experimenting with obfuscation.
melroy89
Complaint
Ps. I couldn't find a good issue template for such requests. Please consider adding a new template issue in order to file a complaint using GitHub issues.
I'm the maintainer of the following package: https://pypi.org/project/fake-useragent/ (trusted/original package)
However, several people are copying my work and redistributing it without listing the authors/copyright owners. So without honoring the Apache License 2.0, which explicitly states to mention the authors at all times. (Moreover, those packages could contain malicious code as well).
The two packages I identified myself thus far are:
Thanks.
There could be definitely more "user agent" packages out there that could also be harmful and/or do not adhere to the license.
Regards, Melroy van den Berg
Code of Conduct