MAL-2024-1106 Malicious code in lyft-stats (PyPI)

--- -= Per source details. Do not edit below this line.=- Source: ossf-package-analysis a187384a19b081ac529bfe65d79397f4521255a67fb44dd29c1bc8cc5220fe42 The OpenSSF Package Analysis project identified 'lyft-stats' @ 5.9.1 pypi as malicious. It is considered malicious because: - The package...

MAL-2024-1104 Malicious code in lyft-exceptions (PyPI)

--- -= Per source details. Do not edit below this line.=- Source: ossf-package-analysis 5e0290aaa0cb90a501cb0a0b357f32d3e725f6f3a97541cbc2796671ea4e8f60 The OpenSSF Package Analysis project identified 'lyft-exceptions' @ 5.9.1 pypi as malicious. It is considered malicious because: - The package...

MAL-2024-1105 Malicious code in lyft-settings (PyPI)

--- -= Per source details. Do not edit below this line.=- Source: ossf-package-analysis 11c2890ec2321b818585ae36669c7c7b9b8b88d0b0b4c7b47679988a9908c569 The OpenSSF Package Analysis project identified 'lyft-settings' @ 5.9.1 pypi as malicious. It is considered malicious because: - The package...

MAL-2024-1103 Malicious code in lyft-requests (PyPI)

--- -= Per source details. Do not edit below this line.=- Source: ossf-package-analysis d60f1a244bc4a4509672cc7a34d1db4ee83618066b02f41f15a6573ff6f5a2ff The OpenSSF Package Analysis project identified 'lyft-requests' @ 5.9.1 pypi as malicious. It is considered malicious because: - The package...

Watch Out: These PyPI Python Packages Can Drain Your Crypto Wallets

Threat hunters have discovered a set of seven packages on the Python Package Index PyPI repository that are designed to steal BIP39 mnemonic phrases used for recovering private keys of a cryptocurrency wallet. The software supply chain attack campaign has been codenamed BIPClip by ReversingLabs...

MAL-2024-1059 Malicious code in booto3 (PyPI)

--- -= Per source details. Do not edit below this line.=- Source: ossf-package-analysis 517345ec1e168770a23a0845f40ee366e2909fd1175efbb4e2292561345b5665 The OpenSSF Package Analysis project identified 'booto3' @ 0.0.1 pypi as malicious. It is considered malicious because: - The package communicat...

BIT-GITLAB-2020-13328

An issue has been discovered in GitLab affecting versions prior to 13.1.2, 13.0.8 and 12.10.13. GitLab was vulnerable to a stored XSS by using the PyPi files API...

BIT-GITLAB-2022-1431

An issue has been discovered in GitLab affecting all versions starting from 12.10 before 14.8.6, all versions starting from 14.9 before 14.9.4, all versions starting from 14.10 before 14.10.1. GitLab was not correctly handling malicious requests to the PyPi API endpoint allowing the attacker to...

MAL-2024-1050 Malicious code in pyalicet (PyPI)

--- -= Per source details. Do not edit below this line.=- Source: ossf-package-analysis 96a6abcd56ea94e027d0d68089a1b6f29312c009aa9be7d80c4b0e33bf0e6396 The OpenSSF Package Analysis project identified 'pyalicet' @ 0.0.3 pypi as malicious. It is considered malicious because: - The package...

Lazarus Exploits Typos to Sneak PyPI Malware into Dev Systems

The notorious North Korean state-backed hacking group Lazarus uploaded four packages to the Python Package Index PyPI repository with the goal of infecting developer systems with malware. The packages, now taken down, are pycryptoenv, pycryptoconf, quasarlib, and swapmempool. They have been...

Dormant PyPI Package Compromised to Spread Nova Sentinel Malware

A dormant package available on the Python Package Index PyPI repository was updated nearly after two years to propagate an information stealer malware called Nova Sentinel. The package, named django-log-tracker, was first published to PyPI in April 2022, according to software supply chain securit...

MAL-2024-1036 Malicious code in djanggo (PyPI)

--- -= Per source details. Do not edit below this line.=- Source: ossf-package-analysis 011da0e2a451e787d1c7b54c29f3090de47bd2366de80983667665a70d885320 The OpenSSF Package Analysis project identified 'djanggo' @ 0.0.6 pypi as malicious. It is considered malicious because: - The package...

CVE-2024-26151 Potentially untrusted input is rendered as HTML in final output

The mjml PyPI package, found at the FelixSchwarz/mjml-python GitHub repo, is an unofficial Python port of MJML, a markup language created by Mailjet. All users of FelixSchwarz/mjml-python who insert untrusted data into mjml templates unless that data is checked in a very strict manner. User input...

CVE-2024-26151

The CVE-2024-26151 issue affects the mjml-python package (FelixSchwarz/mjml-python), an unofficial Python port of MJML. The root cause is that untrusted input can be rendered as HTML in the final output when injected into mjml templates, allowing an attacker to influence email contents sent to ot...

New Malicious PyPI Packages Caught Using Covert Side-Loading Tactics

Cybersecurity researchers have discovered two malicious packages on the Python Package Index PyPI repository that were found leveraging a technique called DLL side-loading to circumvent detection by security software and run malicious code. The packages, named NP6HelperHttptest and NP6HelperHttpe...

Python’s Colorama Typosquatting Meets ‘Fade Stealer’ Malware

As our hunt against malicious Python packages continues, Imperva Threat Research recently discovered an attempt to masquerade Fade Stealer malware as a nondescript package, Colorama. Why Colorama? Colorama is a package used by developers to add color and style to their text in terminal outputs...

Weblate: Information Disclosure

A vulnerability allowed API keys to be exposed in a PyPI package...

Malicious PyPI Packages Slip WhiteSnake InfoStealer Malware onto Windows Machines

Cybersecurity researchers have identified malicious packages on the open-source Python Package Index PyPI repository that deliver an information stealing malware called WhiteSnake Stealer on Windows systems. The malware-laced packages are named nigpal, figflix, telerer, seGMM, fbdebug, sGMM,...

CVE-2024-23342

A flaw was found in the ecdsa PyPI package, a pure Python implementation of ECC Elliptic Curve Cryptography with support for ECDSA Elliptic Curve Digital Signature Algorithm, EdDSA Edwards-curve Digital Signature Algorithm and ECDH Elliptic Curve Diffie-Hellman. Versions 0.18.0 and prior may be...

Moderate: Red Hat Security Advisory: python-pip security update

An update for python-pip is now available for Red Hat Enterprise Linux 8.6 Extended Update Support. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System CVSS base score, which gives a detailed severity rating, is available f...