I'm a Cyber Security researcher and developer of PackjGuard [1] to address open-source software supply chain attacks.
Issue
During my research, I detected a deleted package in this repository.
Details
Specifically, the package perlib mentioned in file README at line 26 does not exist on the public PyPI registry. A bad actor can hijack this package to propagate malicious code.
Impact
Not only your apps/services using https://github.com/ruzgarkanar/perlib repo code are vulnerable to this attack, but the users of your open-source Github repo could also fall victim.
Please highlight this in file README and register a placeholder package for perlib on public PyPI soon to remediate.
To automatically fix such issues in future, please install PackjGuard Github app [1].
Thanks!
PackjGuard is a Github app that monitors your repos 24x7, detects vulnerable/malicious/risky open-source dependencies, and creates pull requests for auto remediation: https://github.com/marketplace/packjguard
I'm a Cyber Security researcher and developer of PackjGuard [1] to address open-source software supply chain attacks.
Issue
During my research, I detected a deleted package in this repository.
Details
Specifically, the package
perlib
mentioned in fileREADME
at line 26 does not exist on the public PyPI registry. A bad actor can hijack this package to propagate malicious code.Impact
Not only your apps/services using
https://github.com/ruzgarkanar/perlib
repo code are vulnerable to this attack, but the users of your open-source Github repo could also fall victim.You could read more about such attacks here: https://medium.com/@alex.birsan/dependency-confusion-4a5d60fec610
Remediation
Please highlight this in file README and register a placeholder package for
perlib
on public PyPI soon to remediate.To automatically fix such issues in future, please install PackjGuard Github app [1].
Thanks!