This is the website for an older EuroPython. Looking for the latest EuroPython? Click here!
Skip to main content

pip install malware

Level:
beginner
Room:
south hall 2a
Start:
Duration:
30 minutes

Abstract

pip install malware: it’s that easy. Almost all projects depend on external packages, but did you know how easy it can be to install something nasty instead of the dependency you want? I'll be showing this live, as I make malware and install it from PyPI onto my own computer during the talk!

TalkSecurity

Description

You might remember classic typosquatting examples like goggle.com, but it’s now common to see malicious code hidden in spoofed or otherwise fraudulent PyPI packages or nested dependencies. Malware developers can also use techniques like starjacking to appear legitimate, so these unpleasant packages become even more difficult to spot. It’s estimated that over 3% of packages on PyPI could be using this technique.

By the end of this talk, you’ll know how to protect yourself when installing and updating dependencies and you’ll leave with a checklist to follow to help you stay safe in future.


The speaker

Max Kahan

Max Kahan

I'm a Python Developer Advocate and Software Engineer at Vonage (ex-IBM). I'm interested in communications APIs, machine learning, open-source, developer experience and dancing! My training is in Physics and now I use my problem-solving skills daily, working on open-source projects and finding ways to make developers’ lives better.


← Back to schedule