Open ashishbijlani opened 8 months ago
Hi,
thanks, I'll do that. I actually wanted to delete the entire package from pypi, I guess I just haven't found the button yet. Presumably that would also solve this problem? I'll look into this tomorrow.
Best wishes Jonathan
---- On Wed, 24 Jan 2024 15:50:27 +0100 Ashish Bijlani wrote ---
I'm a Cyber Security researcher and developer of PackjGuard [1] to address open-source software supply chain attacks. Issue During my research, I detected a deleted package in this repository. Details Specifically, the package aircraft_classifiers_jme45 mentioned in file README at line 7 does not exist on the public PyPI registry. A bad actor can hijack this package to propagate malicious code. Impact Not only your apps/services using https://github.com/jme45/aircraft_classifiers_jme45 repo code are vulnerable to this attack, but the users of your open-source Github repo could also fall victim. You could read more about such attacks here: @.***/dependency-confusion-4a5d60fec610 Remediation Please highlight this in file README and register a placeholder package for aircraft_classifiers_jme45 on public PyPI soon to remediate. To automatically fix such issues in future, please install PackjGuard Github app [1]. Thanks! PackjGuard is a Github app that monitors your repos 24x7, detects vulnerable/malicious/risky open-source dependencies, and creates pull requests for auto remediation: https://github.com/marketplace/packjguard — Reply to this email directly, view it on GitHub, or unsubscribe. You are receiving this because you are subscribed to this thread.Message ID: @github.com>
Hi, I've updated the README. I had originally put this package on pypi but then thought I didn't need it there anymore. Is the best thing to to put it back on pypi (I'd just then also have to change another package, which is currently not on pypi)?
Thanks for pointing this out Jonathan
---- On Wed, 24 Jan 2024 15:50:27 +0100 Ashish Bijlani wrote ---
I'm a Cyber Security researcher and developer of PackjGuard [1] to address open-source software supply chain attacks. Issue During my research, I detected a deleted package in this repository. Details Specifically, the package aircraft_classifiers_jme45 mentioned in file README at line 7 does not exist on the public PyPI registry. A bad actor can hijack this package to propagate malicious code. Impact Not only your apps/services using https://github.com/jme45/aircraft_classifiers_jme45 repo code are vulnerable to this attack, but the users of your open-source Github repo could also fall victim. You could read more about such attacks here: @.***/dependency-confusion-4a5d60fec610 Remediation Please highlight this in file README and register a placeholder package for aircraft_classifiers_jme45 on public PyPI soon to remediate. To automatically fix such issues in future, please install PackjGuard Github app [1]. Thanks! PackjGuard is a Github app that monitors your repos 24x7, detects vulnerable/malicious/risky open-source dependencies, and creates pull requests for auto remediation: https://github.com/marketplace/packjguard — Reply to this email directly, view it on GitHub, or unsubscribe. You are receiving this because you are subscribed to this thread.Message ID: @github.com>
Yeah, people tend to blindly follow (copy/paste) readme instructions. So, updating the README, instructing the user to install from the repo (and not from PyPI), is one correct way to fix this issue.
I'm a Cyber Security researcher and developer of PackjGuard [1] to address open-source software supply chain attacks.
Issue
During my research, I detected a deleted package in this repository.
Details
Specifically, the package
aircraft_classifiers_jme45
mentioned in fileREADME
at line 7 does not exist on the public PyPI registry. A bad actor can hijack this package to propagate malicious code.Impact
Not only your apps/services using
https://github.com/jme45/aircraft_classifiers_jme45
repo code are vulnerable to this attack, but the users of your open-source Github repo could also fall victim.You could read more about such attacks here: https://medium.com/@alex.birsan/dependency-confusion-4a5d60fec610
Remediation
Please highlight this in file README and register a placeholder package for
aircraft_classifiers_jme45
on public PyPI soon to remediate.To automatically fix such issues in future, please install PackjGuard Github app [1].
Thanks!