Domain takeovers possible with legacy Python bootstrap script flaw

Old Python packages' bootstrap files are impacted by a security weakness that could enable a domain takeover attack-based supply chain compromise of the Python Package Index, according to The Hacker News. Even though the "distribute_setup.py" script became obsolete after its integration with Setuptools in 2013, multiple packages continued to feature the "bootstrap.py" script that sought to install Distribute, exposing users to potential exploitation of the domain for illicit code distribution, a report from ReversingLabs revealed. Such a script remains in the slapos.core package, as well as Tornado's development and maintenance version. "The issue lies in the programming pattern that includes fetching and executing a payload from a hard-coded domain, which is a pattern commonly observed in malware exhibiting downloader behavior. The failure to formally decommission the Distribute module allowed vulnerable bootstrap scripts to linger and left unknown numbers of projects exposed to a potential attack," said researcher Vladimir Pezo.