0

I'm not a professional at recognizing security in Python modules, but is one of these Python modules possibly dangerous or contains malware?

altgraph 0.17.3 atlassian-python-api 3.39.0 attrs 23.1.0 auto-py-to-exe 2.36.0 bottle 0.12.25 bottle-websocket 0.2.9 certifi 2023.5.7 cffi 1.15.1 chardet 5.1.0 charset-normalizer 3.2.0 cryptography 41.0.2 Deprecated 1.2.14 Eel 0.16.0 exceptiongroup 1.1.2 future 0.18.3 gevent 23.7.0 gevent-websocket 0.10.1 greenlet 2.0.2 h11 0.14.0 idna 3.4 isodate 0.6.1 jwt 1.3.1 lxml 4.9.3 oauthlib 3.2.2 outcome 1.2.0 pefile 2023.2.7 Pillow 10.0.0 pip 23.1.2 platformdirs 3.8.1 plyer 2.1.0 pycparser 2.21 pyinstaller 5.13.0 pyinstaller-hooks-contrib 2023.5 PyJWT 2.7.0 pyparsing 3.1.0 pypiwin32 223 PySocks 1.7.1 pystray 0.19.4 pytz 2023.3 pywin32 306 pywin32-ctypes 0.2.2 requests 2.31.0 requests-file 1.5.1 requests-oauthlib 1.3.1 requests-toolbelt 1.0.0 selenium 4.10.0 setuptools 65.5.0 six 1.16.0 sniffio 1.3.0 sortedcontainers 2.4.0 trio 0.22.2 trio-websocket 0.10.3 urllib3 2.0.3 whichcraft 0.6.1 win10toast 0.9 winotify 1.1.0 winsdk 1.0.0b9 wrapt 1.15.0 wsproto 1.2.0 zeep 4.2.1 zope.event 5.0 zope.interface 6.0

Is there a way to find out this information in a simple manner?

I have installed the modules, but I'm unsure whether these modules are truly secure.

Improve this question
2
  • If you don't trust the module authors, why would you trust random people on stackoverflow? Commented Jul 20, 2023 at 21:49
  • @Robert Malicious attacks on PyPi packages sometimes happen. The question is reasonable. Commented Dec 6, 2023 at 12:09

1 Answer 1

Reset to default
0

PyPi will remove malicious code immediately, so there isn't a chance that known malware will be found in those dependencies.

If you are worried that a particular package may have unknown malware, you can use sysdig to look into what events are occurring when you install the package. This is a ton of work, but look at this article for some pointers: https://jordan-wright.com/blog/post/2020-11-12-hunting-for-malicious-packages-on-pypi/

To determine if the code the run is possibly dangerous, or has a vulnerability you can use pip-audit: https://github.com/pypa/pip-audit

To install

pip install --upgrade pip pip-audit

It works best with virtual environments by reading the requirements.txt file. If you have the source installed in a virtual environment you can use

pip freeze > requirements.txt

You could also just write those files above manually into a requirements.txt but I don't recommend that. It would be in the form:

altgraph==0.17.3
atlassian-python-api==3.39.0

Once you have your requirements.txt run the following command:

pip-audit --requirement requirements.txt
Improve this answer
Sign up to request clarification or add additional context in comments.

Comments

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.