I'm a Cyber Security researcher and developer of PackjGuard [1] to address open-source software supply chain attacks.
Issue
During my research, I found that this repo is vulnerable to attack due to deleted dependency from the public PyPI registry.
Details
Specifically, file https://github.com/Miriel-py/Maya-the-Bee/blob/aab7dbd1faf194fe9eb578209a3141df42e0b450/requirements.txt lists py-cord-dev as one of the dependencies. However, it has been deleted from public PyPI. As such, an external bad actor can claim that name and register a malicious package, which will be then installed with pip install command, resulting in arbitrary remote code execution.
Impact
Not only your apps/services using https://github.com/Miriel-py/Maya-the-Bee repo code are vulnerable to this attack, but the users of your open-source Github repo could also fall victim.
Please manually register a placeholder py-cord-dev package on PyPI immediately or remove py-cord-dev dependency from https://github.com/Miriel-py/Maya-the-Bee/blob/aab7dbd1faf194fe9eb578209a3141df42e0b450/requirements.txt to fix this vulnerability.
To automatically fix such issues in future, please install PackjGuard Github app [1].
Thanks!
PackjGuard is a Github app that monitors your repos 24x7, detects vulnerable/malicious/risky open-source dependencies, and creates pull requests for auto remediation: https://github.com/marketplace/packjguard
MirielCH
commented
9 months ago
I'm a Cyber Security researcher and developer of PackjGuard [1] to address open-source software supply chain attacks.
Issue
During my research, I found that this repo is vulnerable to attack due to deleted dependency from the public PyPI registry.
Details
Specifically, file
https://github.com/Miriel-py/Maya-the-Bee/blob/aab7dbd1faf194fe9eb578209a3141df42e0b450/requirements.txtlistspy-cord-devas one of the dependencies. However, it has been deleted from public PyPI. As such, an external bad actor can claim that name and register a malicious package, which will be then installed withpip installcommand, resulting in arbitrary remote code execution.Impact
Not only your apps/services using
https://github.com/Miriel-py/Maya-the-Beerepo code are vulnerable to this attack, but the users of your open-source Github repo could also fall victim.You could read more about such attacks here: https://medium.com/@alex.birsan/dependency-confusion-4a5d60fec610
Remediation
Please manually register a placeholder
py-cord-devpackage on PyPI immediately or removepy-cord-devdependency fromhttps://github.com/Miriel-py/Maya-the-Bee/blob/aab7dbd1faf194fe9eb578209a3141df42e0b450/requirements.txtto fix this vulnerability.To automatically fix such issues in future, please install PackjGuard Github app [1].
Thanks!