How to ensure that the pycryptodome library is secure and does not send passwords to the backend

[Morishima-Hodaka]

How to ensure that the pycryptodome library is secure and does not send passwords to the backend

Recently (April 25, 2024), the Xuanjing Supply Chain Security Intelligence Center captured a CStealer secret-stealing backdoor poisoning incident in the Pypi official warehouse (https://pypi.org/). The poisoner released 6 different versions of the malicious Py package multiplerequests in succession, targeting Python developers on the Windows platform. When the malicious package is installed, it will remotely load the CStealer backdoor to the victim's system for execution. The backdoor will steal the victim's system sensitive information, mainstream browser privacy data, digital currency wallet application data, and system screenshots, etc. In addition, the backdoor will also try to reside in the Windows system startup directory to achieve self-startup at boot.

[Bl4omArchie]

What you are referring to has nothing to do with pycryptodome security. Pypi is a repository for python package where everyone can publish and download packages. Here, some malicious packages has been spotted and removed from the platform. They played with the fact that people can misspelled packages name and download the wrong one. In this case the packages name was "multiplerequests" which is very closed to "requests" or "multiprocessing" and people can make a mistake.

Pycryptdome is open-source, if you want to verify the security of it, just check the code by yourself. And if you want to be sure that you downloaded the right package, verify the hash footprint which is the way to verify the code authenticity and integrity.