New Malicious PyPI Packages Caught Using Covert Side-Loading Tactics

Cybersecurity researchers have discovered two malicious packages on the Python Package Index PyPI repository that were found leveraging a technique called DLL side-loading to circumvent detection by security software and run malicious code. The packages, named NP6HelperHttptest and NP6HelperHttpe...

Warning: PyPI Feature Executes Code Automatically After Python Package Download

In another finding that could expose developers to increased risk of a supply chain attack, it has emerged that nearly one-third of the packages in PyPI, the Python Package Index, trigger automatic code execution upon downloading them. "A worrying feature in pip/PyPI allows code to automatically...

CVE-2022-21668

pipenv is a Python development workflow tool. Starting with version 2018.10.9 and prior to version 2022.1.8, a flaw in pipenv's parsing of requirements files allows an attacker to insert a specially crafted string inside a comment anywhere within a requirements.txt file, which will cause victims...

CVE-2022-21668

pipenv is a Python development workflow tool. Starting with version 2018.10.9 and prior to version 2022.1.8, a flaw in pipenv's parsing of requirements files allows an attacker to insert a specially crafted string inside a comment anywhere within a requirements.txt file, which will cause victims...

PT-2022-15021 · Pipenv · Pipenv

Name of the Vulnerable Software and Affected Versions: pipenv versions 2018.10.9 through 2022.1.8 Description: A flaw in pipenv's parsing of requirements files allows an attacker to insert a specially crafted string inside a comment anywhere within a requirements.txt file. This will cause victims...

Cryptominers Slither into Python Projects in Supply-Chain Campaign

A group of cryptominers was found to have infiltrated the Python Package Index PyPI, which is a repository of software code created in the Python programming language. Similar to other repositories like GitHub, npm and RubyGems, PyPI is part of the software supply chain. It offers a place where...

Extensible Debugger UI For Hackers: Voltron

Voltron is an extensible debugger UI toolkit written in Python. It aims to improve the user experience of various debuggers LLDB, GDB, VDB and WinDbg by enabling the attachment of utility views that can retrieve and display data from the debugger host. By running these views in other TTYs, you ca...

Uber: Stored XSS in archive.uber.com Due to Injection of Javascript:alert(0)

archive.uber.com is vulnerable to an XSS due to injection of Javascript:alert0 as the downloadurl or the homepage in the setup.py when generating the .tar.gz. As of PEP 0470, the downloadurl and homepage parameters are depreciated. An example of a setup.py that can exploit this is: python from...

Design/Logic Flaw

setup.py in Prewikka 0.9.14 installs prewikka.conf with world-readable permissions, which allows local users to obtain the SQL database password...

CVE-2010-2058

setup.py in Prewikka 0.9.14 installs prewikka.conf with world-readable permissions, which allows local users to obtain the SQL database password...