search

jme45 / aircraft_classifiers_jme45

Utilities module for aircraft classification - to allow code reuse
MIT License
0 stars 0 forks source link

Deleted package detected #1

Open ashishbijlani opened 8 months ago

ashishbijlani commented 8 months ago

I'm a Cyber Security researcher and developer of PackjGuard [1] to address open-source software supply chain attacks.

Issue

During my research, I detected a deleted package in this repository.

Details

Specifically, the package aircraft_classifiers_jme45 mentioned in file README at line 7 does not exist on the public PyPI registry. A bad actor can hijack this package to propagate malicious code.

Impact

Not only your apps/services using https://github.com/jme45/aircraft_classifiers_jme45 repo code are vulnerable to this attack, but the users of your open-source Github repo could also fall victim.

You could read more about such attacks here: https://medium.com/@alex.birsan/dependency-confusion-4a5d60fec610

Remediation

Please highlight this in file README and register a placeholder package for aircraft_classifiers_jme45 on public PyPI soon to remediate.

To automatically fix such issues in future, please install PackjGuard Github app [1].

Thanks!

  1. PackjGuard is a Github app that monitors your repos 24x7, detects vulnerable/malicious/risky open-source dependencies, and creates pull requests for auto remediation: https://github.com/marketplace/packjguard
jme45 commented 8 months ago

Hi,

thanks, I'll do that. I actually wanted to delete the entire package from pypi, I guess I just haven't found the button yet. Presumably that would also solve this problem? I'll look into this tomorrow.

Best wishes Jonathan

---- On Wed, 24 Jan 2024 15:50:27 +0100 Ashish Bijlani wrote ---

I'm a Cyber Security researcher and developer of PackjGuard [1] to address open-source software supply chain attacks. Issue During my research, I detected a deleted package in this repository. Details Specifically, the package aircraft_classifiers_jme45 mentioned in file README at line 7 does not exist on the public PyPI registry. A bad actor can hijack this package to propagate malicious code. Impact Not only your apps/services using https://github.com/jme45/aircraft_classifiers_jme45 repo code are vulnerable to this attack, but the users of your open-source Github repo could also fall victim. You could read more about such attacks here: @.***/dependency-confusion-4a5d60fec610 Remediation Please highlight this in file README and register a placeholder package for aircraft_classifiers_jme45 on public PyPI soon to remediate. To automatically fix such issues in future, please install PackjGuard Github app [1]. Thanks! PackjGuard is a Github app that monitors your repos 24x7, detects vulnerable/malicious/risky open-source dependencies, and creates pull requests for auto remediation: https://github.com/marketplace/packjguard — Reply to this email directly, view it on GitHub, or unsubscribe. You are receiving this because you are subscribed to this thread.Message ID: @github.com>

jme45 commented 8 months ago

Hi, I've updated the README. I had originally put this package on pypi but then thought I didn't need it there anymore. Is the best thing to to put it back on pypi (I'd just then also have to change another package, which is currently not on pypi)?

Thanks for pointing this out Jonathan

---- On Wed, 24 Jan 2024 15:50:27 +0100 Ashish Bijlani wrote ---

I'm a Cyber Security researcher and developer of PackjGuard [1] to address open-source software supply chain attacks. Issue During my research, I detected a deleted package in this repository. Details Specifically, the package aircraft_classifiers_jme45 mentioned in file README at line 7 does not exist on the public PyPI registry. A bad actor can hijack this package to propagate malicious code. Impact Not only your apps/services using https://github.com/jme45/aircraft_classifiers_jme45 repo code are vulnerable to this attack, but the users of your open-source Github repo could also fall victim. You could read more about such attacks here: @.***/dependency-confusion-4a5d60fec610 Remediation Please highlight this in file README and register a placeholder package for aircraft_classifiers_jme45 on public PyPI soon to remediate. To automatically fix such issues in future, please install PackjGuard Github app [1]. Thanks! PackjGuard is a Github app that monitors your repos 24x7, detects vulnerable/malicious/risky open-source dependencies, and creates pull requests for auto remediation: https://github.com/marketplace/packjguard — Reply to this email directly, view it on GitHub, or unsubscribe. You are receiving this because you are subscribed to this thread.Message ID: @github.com>

ashishbijlani commented 8 months ago

Yeah, people tend to blindly follow (copy/paste) readme instructions. So, updating the README, instructing the user to install from the repo (and not from PyPI), is one correct way to fix this issue.