Deleted package detected

[ashishbijlani]

I'm a Cyber Security researcher and developer of PackjGuard [1] to address open-source software supply chain attacks.

Issue

During my research, I detected a deleted package in this repository.

Details

Specifically, the package cipher-craft mentioned in file README at line 42 does not exist on the public PyPI registry. A bad actor can hijack this package to propagate malicious code.

Impact

Not only your apps/services using https://github.com/jarvismayur/CipherCraft repo code are vulnerable to this attack, but the users of your open-source Github repo could also fall victim.

You could read more about such attacks here: https://medium.com/@alex.birsan/dependency-confusion-4a5d60fec610

Remediation

Please highlight this in file README and register a placeholder package for cipher-craft on public PyPI soon to remediate.

To automatically fix such issues in future, please install PackjGuard Github app [1].

Thanks!

1. PackjGuard is a Github app that monitors your repos 24x7, detects vulnerable/malicious/risky open-source dependencies, and creates pull requests for auto remediation: https://github.com/marketplace/packjguard

[jarvismayur]

Hi Ashish @ashishbijlani,

Thank you for bringing this to my attention.

The package cipher-craft was indeed created by me specifically for this repository, but as a first-time user of PyPI, I initially made some mistakes during the setup process. The package is now correctly registered under the name cipher-craftt on PyPI (https://pypi.org/project/cipher-craftt/), and I’ve updated the repository accordingly.

Currently, there’s no issue with the package or the repository itself. I do appreciate your diligence, and I will certainly review PackjGuard as recommended and take any necessary steps to further enhance the security of this repo.

Thanks again for your valuable feedback and contribution!

Best regards, Mayur Tembhare