A Python package called ‘mitmproxy2’ was deleted from the PyPI repository because it was an exact clone of the official “mitmproxy” library but with an “artificially introduced” code execution vulnerability.
With over 40,000 weekly downloads, the official ‘mitmproxy’ Python package is a free and open-source interactive HTTPS proxy.
Maximilian Hils, one of the creators of the ‘mitmproxy’ Python library, found the fake ‘mitmproxy2′ package uploaded to PyPI.’ mitmproxy2′ is primarily the same as normal mitmproxy, but with the addition of a fake RCE vulnerability.
Hils’ major worry was that some software developers might misinterpret ‘mitmproxy2’ as a “newer version” of ‘mitmproxy,’ resulting in unsafe code being accidentally included in their programs.
While investigating an unrelated PyPI warehouse issue, Hils came upon this imitation package and named it “happy little accident.”
When comparing the differences between ‘mitmproxy2’ and his ‘mitmproxy,’ one thing became clear. The API for the former had all protections removed.
He said that when you use mitmproxy’s web interface, we provide an HTTP API for that. If you remove all protections from that API, anyone on the same network may use a single HTTP request to execute code on your system.
It’s also unclear if the individual who released the copycat ‘mitmproxy2’ program did so with malicious intent or just due to poor development techniques.
To be clear, this isn’t the most malicious act a hacker could commit. It would be much easier just to include some malicious code that immediately runs on installation.
The issue is that if you submit it to PyPI as ‘mitmproxy2’ with a version number that suggests it’s newer/superseded, people will undoubtedly download it without realizing the changes.
Hils praised the PyPI volunteers for responding quickly to the report. ‘mitmproxy2′ was taken down four hours after Hils’ tweet.