Somebody typosquatting at PyPi home-assistant

SphtKr · April 13, 2021, 10:20am

Has anyone checked this out? Is there anything malicious here or just being a jerk/gray-hat?

SphtKr · April 13, 2021, 10:24am

Looks relatively harmless but this is totally not cool.

def pyng() -> requests.Response:
    """Ping my domain to get a rough counter."""
    try:
        return requests.post(
            "https://cbvnjl6am6.execute-api.us-east-1.amazonaws.com/pyng",
            json={
                "uuid": str(uuid1()),
                "datetime": datetime.isoformat(datetime.now()),
                "version": __version__,
                "python": f"{version_info.major}.{version_info.minor}.{version_info.micro}",
            },
        )
    except Exception as error:  # noqa # nosec
        pass

Severe temptation to DDoS this and drive this guy’s AWS invoice into sticker shock.

SphtKr · April 13, 2021, 10:43am

Reported to PyPi conduct email address…if that’s the right place.

richieframe · April 14, 2021, 4:57am

There are researchers who are doing this to see how often memory corruption causes a package with a slightly wrong name to be pulled… but this is not that, since there isnt a typo really.

This looks like someone who is preventing typosquatting, and he is also a contributor to the HA codebase on github

SphtKr · April 14, 2021, 11:36pm

Well I’m slightly less irritated than I was yesterday, but I don’t think this is appropriate. And I don’t think there’s any meaningful likelihood that memory corruption leads to the wrong package being pulled like this, only human error–this is a social engineering vector.

I ended up with this fake module by making the following mistake:

(homeassistant) ~/homeassistant > pip install --upgrade home-assistant

Note the - which shouldn’t be there.

The result was this incredibly unhelpful and pranky output when starting Home Assistant:

(homeassistant) ~/homeassistant > bin/hass

Do you know Typosquatting? ;)

https://en.wikipedia.org/wiki/Typosquatting

¯\_(ツ)_/¯
(homeassistant) ~/homeassistant >

Not…at…all…humorous.

This may be preventing a malicious attack… but it is decidedly the OPPOSITE of supportive to the user community. IMHO, the core dev team should at a minimum ask this contributor to kindly stop trolling the user community. Granted not many inexperienced users may install Core, and thus be likely to install/upgrade this way, but I bet not all of those who do would know where to start to figure out what’s going on here–any many may freak out a little as I did.

SphtKr · April 14, 2021, 11:40pm

Oh… and after all the tiptoeing and careful wording choices surrounding the enablement of analytics in both the installer and main product… we’re supposed to be okay with somebody throwing up a data collector that is the polar opposite of opt-in? I think not! Very much out of touch with the product’s comms strategy.

richieframe · April 15, 2021, 8:00am

A better option would have indeed been to notify that it is not the right package.

I would however not consider logging the python version and the iso datetime to be invasive analytics. I would be far less concerned if the statistics for trying to pull the wrong package were updated in a public manner