{"id":13843667,"url":"https://github.com/grayddq/PypiScan","last_synced_at":"2025-07-11T19:33:09.725Z","repository":{"id":108771526,"uuid":"231035498","full_name":"grayddq/PypiScan","owner":"grayddq","description":"这个脚本主要提供对pypi供应链的源头进行安全扫描研究，扫描并发现未知的恶意包情况。","archived":false,"fork":false,"pushed_at":"2023-05-22T22:36:56.000Z","size":336,"stargazers_count":32,"open_issues_count":1,"forks_count":11,"subscribers_count":2,"default_branch":"master","last_synced_at":"2024-08-05T17:38:34.288Z","etag":null,"topics":["pypi","security"],"latest_commit_sha":null,"homepage":null,"language":"Python","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":null,"status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/grayddq.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":null,"code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null}},"created_at":"2019-12-31T06:03:46.000Z","updated_at":"2024-07-01T13:13:09.000Z","dependencies_parsed_at":"2023-06-04T21:30:12.506Z","dependency_job_id":null,"html_url":"https://github.com/grayddq/PypiScan","commit_stats":null,"previous_names":[],"tags_count":0,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/grayddq%2FPypiScan","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/grayddq%2FPypiScan/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/grayddq%2FPypiScan/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/grayddq%2FPypiScan/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/grayddq","download_url":"https://codeload.github.com/grayddq/PypiScan/tar.gz/refs/heads/master","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":225755096,"owners_count":17519198,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["pypi","security"],"created_at":"2024-08-04T17:02:22.892Z","updated_at":"2024-11-21T15:31:24.311Z","avatar_url":"https://github.com/grayddq.png","language":"Python","funding_links":[],"categories":["Python","Python (1887)"],"sub_categories":[],"readme":"# PypiScan 0.1\n\n这个脚本主要提供对pypi供应链的源头进行安全扫描研究，扫描并发现未知的恶意包情况。\n\n## 作者 ##\n\n咚咚呛 \n\n如有其他建议，可联系微信280495355\n\n## 技术细节 ##\n技术细节如下\n\n\t1、脚本采取多线程方式爬取pypi所有包信息，默认10个线程，根据主机和带宽的配置，建议增加。\n\t2、每个项目包含多个版本包，releases包存在两种类型，whl和tar，whl类型实质为zip压缩。\n\t3、由于文件数量过大，硬盘存储有限，故采取下载/扫描完毕后会删除原始包，但会保存恶意文件到指定目录。\n\t4、扫描以静态扫描为住，扫描特征行包括：网络链接行为、特定文件操作、命令执行行为、特定编码行为\n\t5、作者执行了一次全量扫描，项目数量：21W+、包数量：150W+，用时10天+，目前误报较多，脚本主要用于研究使用，如要生产环境使用，请识别规则\n\n## 程序使用 ##\n\n\u003e root# \u003ckbd\u003egit clone https://github.com/grayddq/PypiScan.git\u003c/kbd\u003e\n\u003e\n\u003e root# \u003ckbd\u003ecd PypiScan\u003c/kbd\u003e\n\u003e\n\u003e root# \u003ckbd\u003esudo pip install -r requirements.txt\u003c/kbd\u003e\n\u003e\n\u003e root# \u003ckbd\u003epython python PypiScan.py  --thread 100\u003c/kbd\u003e\n\n## 运行截图 ##\n\n![Screenshot](pic/111.png)\n\n\n## 历史风险参考 ##\n\n历史pypi恶意包\n\n\thttps://snyk.io/vuln/SNYK-PYTHON-JEILYFISH-536726\n\thttps://snyk.io/vuln/SNYK-PYTHON-PYTHON3DATEUTIL-536644\n\thttps://snyk.io/vuln/SNYK-PYTHON-LIBARI-460155\n\thttps://snyk.io/vuln/SNYK-PYTHON-LIBPESH-460156\n    https://snyk.io/vuln/SNYK-PYTHON-LIBPESHNX-460157\n    https://snyk.io/vuln/SNYK-PYTHON-DAJNGO-72531\n    https://snyk.io/vuln/SNYK-PYTHON-DIANGO-72529\n    https://snyk.io/vuln/SNYK-PYTHON-DJAGO-72530\n    https://snyk.io/vuln/SNYK-PYTHON-MYBIUBIUBIU-72532\n    https://snyk.io/vuln/SNYK-PYTHON-PKGUTIL-72527\n    https://snyk.io/vuln/SNYK-PYTHON-SMPLEJSON-72526\n    https://snyk.io/vuln/SNYK-PYTHON-TIMEIT-72528\n    https://snyk.io/vuln/SNYK-PYTHON-COLOURAMA-72537\n    https://snyk.io/vuln/SNYK-PYTHON-PYCONAUFUNTIMES-72536\n    https://snyk.io/vuln/SNYK-PYTHON-DJANGA-72533\n    https://snyk.io/vuln/SNYK-PYTHON-EASYINSTALL-72534\n    https://snyk.io/vuln/SNYK-PYTHON-LIBPESHKA-72535\n    https://snyk.io/vuln/SNYK-PYTHON-SSHDECORATE-40786\n    https://snyk.io/vuln/SNYK-PYTHON-ACQUSITION-40662\n    https://snyk.io/vuln/SNYK-PYTHON-APIDEVCOOP-40663\n    https://snyk.io/vuln/SNYK-PYTHON-BZIP-40664\n    https://snyk.io/vuln/SNYK-PYTHON-CRYPT-40665\n    https://snyk.io/vuln/SNYK-PYTHON-DJANGOSERVER-40666\n    https://snyk.io/vuln/SNYK-PYTHON-PWD-40667\n    https://snyk.io/vuln/SNYK-PYTHON-SETUPTOOLS-40668\n    https://snyk.io/vuln/SNYK-PYTHON-TELNET-40669\n    https://snyk.io/vuln/SNYK-PYTHON-URLIB3-40670\n    https://snyk.io/vuln/SNYK-PYTHON-URLLIB-40671\n\n文章参考链接：\n    \n    https://github.com/dateutil/dateutil/issues/984\n    https://blog.reversinglabs.com/blog/suppy-chain-malware-detecting-malware-in-package-manager-repositories\n    https://medium.com/@bertusk/detecting-cyber-attacks-in-the-python-package-index-pypi-61ab2b585c67\n    https://medium.com/@bertusk/cryptocurrency-clipboard-hijacker-discovered-in-pypi-repository-b66b8a534a8\n    https://www.bleepingcomputer.com/news/security/backdoored-python-library-caught-stealing-ssh-credentials/\n    https://www.bleepingcomputer.com/news/security/ten-malicious-libraries-found-on-pypi-python-package-index/\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fgrayddq%2FPypiScan","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fgrayddq%2FPypiScan","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fgrayddq%2FPypiScan/lists"}