PyPI remove ‘mitmproxy2’ for code execution issues


The PyPI repository removed a Python package called “mitmproxy2” which was an identical copy of the official “mitmproxy” library, but with an “artificially introduced” code execution vulnerability.

The official “mitmproxy” Python library is a free and open source interactive HTTPS proxy with over 40,000 weekly downloads.

The Copycat package could encourage developers to fall for a “newer” version

Yesterday, Maximilian Hils, who is one of the developers of the ‘mitmproxy’ Python library, drew everyone’s attention to a fake ‘mitmproxy2’ package uploaded to PyPI.

‘mitmproxy2’ is essentially “the same as regular mitmproxy but with an artificial RCE vulnerability included”.

Hils’ main concern, as he described to TechToSee, was that some software developers might confuse “mitmproxy2” with a newer version “of” mitmproxy “and inadvertently introduce insecure code into their applications.

Hils found this mimic package in what he calls a “happy little accident” while examining an unrelated PyPI warehouse problem.

mitmproxy2 pypi page
Now removed PyPI package page ‘mitmproxy2’ (Sound computer)

When analyzing the differences between ‘mitmproxy2’ and its ‘mitmproxy’, something important emerged. The first had all backups deleted from the API:

“When you run the mitmproxy web interface, we expose an HTTP API for it. If you delete all of this API’s backups, everyone on the same network can run code on your machine with a single HTTP request,” Hils told TechToSee in an email interview.

'mitmproxy2' deleted API backups
‘mitmproxy2’ deleted API backups (Sound computer)

It is also not clear whether the user who posted the ‘mitmproxy2’ copy package did so with deliberate malicious intent or simply through unsafe coding practices.

“To be clear, this really isn’t the most malicious thing an attacker can do. It would be much easier to just add malicious code that runs immediately upon installation.”

“The problem of course is that if you upload this to PyPI as ‘mitmproxy2’ with a version number that indicates it is newer / a successor, people will inevitably download this without knowing the changes.”

Hils thanked the PyPI volunteers for responding quickly to this report. Within four hours of Hils’ tweet, “mitmproxy2” was deleted.

Whack-a-mole: another imitator appears a few hours later

While analyzing ‘mitmproxy2’, TechToSee discovered that another ‘mitmproxy-iframe’ package had appeared in the PyPI registry, less than a day after removing ‘mitmproxy2’.

Again, this package is an exact replica of the official mitmproxy, but with the aforementioned backups deleted from the “app.py” file, as seen by TechToSee.

Interesting way, mitmproxy-iframe is also posted by the same user who is behind ‘mitmproxy2’, now casting doubts on the user’s intentions:

mitmproxy-iframe with the same code execution vulnerability
Another package ‘mitmproxy-iframe’ appears with the same code execution vulnerability (Sound computer)

Since anyone can publish packages to open source ecosystems, security threats and attacks like malware injection, typosquatting, brandjacking, and dependency confusion have increased rapidly in recent times.

Unless concrete validations are put in place by open source registries, these “whack-a-mole” situations are doomed to repeat themselves.

TechToSee informed PyPI of the ‘mitmproxy-iframe’ package before the release and the package has been removed.

Leave a Comment

Trending this Week