qiskit-community / qiskit-quantinuum-provider

Qiskit provider for Quantinuum backends.
Apache License 2.0
21 stars 17 forks source link

Deleted dependency supply-chain vulnerability detected #36

Closed ashishbijlani closed 11 months ago

ashishbijlani commented 11 months ago

I'm a Cyber Security researcher developing PackjGuard [1]. Our tool has detected a deleted dependency vulnerability in this repository.

The package qiskit-quantinuum-provider mentioned in file README at line 14 does not exist on the public Pypi registry. A bad actor can hijack this package to propagate malicious code.

Not only your apps/service is vulnerable to this attack, but users of your open-source Github repo are also vulnerable to this attack.

Please highlight this in file README and register a placeholder package for qiskit-quantinuum-provider on public Pypi soon to remediate.

Thanks!

  1. PackjGuard is a Github app that monitors repos for malicious/vulnerable dependencies and mitigates attacks by creating pull requests for automatic remediation https://github.com/marketplace/packjguard
ashishbijlani commented 11 months ago

Sorry about the duplicate reporting.