[Sugar-devel] Malicious code in dateutil

bottersnike237 at gmail.com bottersnike237 at gmail.com
Thu Jan 23 18:03:17 EST 2020


It’s worth noting this is specifically the typo-squatting “python3-dateutil” package, and not the very legitimate “dateutil” package. The former only lasted on PyPi for about 2 days, so it would be a surprise if it was somehow integrated into SL code within that timeframe.

 

From: Sugar-devel <sugar-devel-bounces at lists.sugarlabs.org> On Behalf Of Chihurumnaya Ibiam
Sent: 23 January 2020 22:50
To: Sugar-dev Devel <Sugar-devel at lists.sugarlabs.org>
Subject: [Sugar-devel] Malicious code in dateutil

 

Dateutil has been found to contain malicious code, a github search shows 10+ uses of dateutil in Sugar Labs repos.

 

You can read more about it here

https://www.zdnet.com/article/two-malicious-python-libraries-removed-from-pypi/

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.sugarlabs.org/archive/sugar-devel/attachments/20200123/13bbd644/attachment.html>


More information about the Sugar-devel mailing list