New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
code execution backdoor #1
Comments
|
Looking at the commit that added the |
|
Thanks @duxinglin1 for the advice. As it is an abandoned project and I doubt nobody ever used it, I will delete the pypi packages and push a blank state to the repo to avoid any unintentional install. I will keep it, not full erase it , for sentimental reasons. Feel free to grab any code if it is of interest to you. Dear @okuuva, I do not understand how you come to the conclusions that this project is some kind of trojan, only from the fact that I added a 50k stars pypi package, namely request. I don't even fix the package versions in the dependencies. Your assumption has left me, for lack of a better term, speechless. |
I didn't come to any conclusions or didn't make any assumptions, just said the that the activity seems odd. Yes, Again, I'm not accusing you of anything. I'm just saying there's a lot of odd activity around this package both in PyPI and this repo. |
|
@josubg I took better look at the commit history and it seems that it could've been an honest mistake. You had a typo in a few |
We found a malicious backdoor in versions 0.9.50~1.0.1 of this project, and its malicious backdoor is the request package. Even if the request package was removed by pypi, many mirror sites did not completely delete this package, so it could still be installed.When using pip install django-navbar-client==1.0.1 -i http://pypi.doubanio.com/simple --trusted-host pypi.doubanio.com, the request malicious plugin can be successfully installed.
Repair suggestion: delete version 0.9.50~1.0.1 in PyPI
The text was updated successfully, but these errors were encountered: