Open ashishbijlani opened 2 weeks ago
Hi Ashish @ashishbijlani,
Thank you for bringing this to my attention.
The package cipher-craft was indeed created by me specifically for this repository, but as a first-time user of PyPI, I initially made some mistakes during the setup process. The package is now correctly registered under the name cipher-craftt on PyPI (https://pypi.org/project/cipher-craftt/), and I’ve updated the repository accordingly.
Currently, there’s no issue with the package or the repository itself. I do appreciate your diligence, and I will certainly review PackjGuard as recommended and take any necessary steps to further enhance the security of this repo.
Thanks again for your valuable feedback and contribution!
Best regards, Mayur Tembhare
I'm a Cyber Security researcher and developer of PackjGuard [1] to address open-source software supply chain attacks.
Issue
During my research, I detected a deleted package in this repository.
Details
Specifically, the package
cipher-craft
mentioned in fileREADME
at line 42 does not exist on the public PyPI registry. A bad actor can hijack this package to propagate malicious code.Impact
Not only your apps/services using
https://github.com/jarvismayur/CipherCraft
repo code are vulnerable to this attack, but the users of your open-source Github repo could also fall victim.You could read more about such attacks here: https://medium.com/@alex.birsan/dependency-confusion-4a5d60fec610
Remediation
Please highlight this in file README and register a placeholder package for
cipher-craft
on public PyPI soon to remediate.To automatically fix such issues in future, please install PackjGuard Github app [1].
Thanks!