We found a malicious backdoor in versions 0.1~0.13 of this project, and its malicious backdoor is the request package. Even if the request package was removed by pypi, many mirror sites did not completely delete this package, so it could still be installed.When using pip3 install marcador==0.13 -i http://pypi.doubanio.com/simple --trusted-host pypi.doubanio.com, the request malicious plugin can be successfully installed.
Repair suggestion: delete version 0.1~0.13 in PyPI
The text was updated successfully, but these errors were encountered:
Just so I understand. You are using the http://pypi.doubanio.com/simple mirror when installing marcador. The malicious package is present in this mirror? Is it also present in the official pypi mirrors?
I see no problem in removing those versions from pypi just want to understand a bit better the thread model here :)
We found a malicious backdoor in versions 0.1~0.13 of this project, and its malicious backdoor is the request package. Even if the request package was removed by pypi, many mirror sites did not completely delete this package, so it could still be installed.When using pip3 install marcador==0.13 -i http://pypi.doubanio.com/simple --trusted-host pypi.doubanio.com, the request malicious plugin can be successfully installed.
Repair suggestion: delete version 0.1~0.13 in PyPI
The text was updated successfully, but these errors were encountered: