Skip to content

code execution backdoor #5

Closed
Closed
@di1l0o

Description

We found a malicious backdoor in versions 0.1~0.13 of this project, and its malicious backdoor is the request package. Even if the request package was removed by pypi, many mirror sites did not completely delete this package, so it could still be installed.When using pip3 install marcador==0.13 -i http://pypi.doubanio.com/simple --trusted-host pypi.doubanio.com, the request malicious plugin can be successfully installed.

image

Repair suggestion: delete version 0.1~0.13 in PyPI

Metadata

Assignees

Labels

No labels
No labels

Projects

No projects

Milestone

No milestone

Relationships

None yet

Development

No branches or pull requests

Issue actions