PyPi has a Critical Vulnerability


The operators of the official Python Package Index (PyPI) repository has eliminated 8 libraries that contain malicious code. The developers of PyPI have recently fixed the 3 most severe vulnerabilities, one of which allows a threat actor to take full control of the portal.

All these vulnerabilities were identified by a well-known Japanese cybersecurity analyst, RyotaK. He analyzed the PyPI code that is available on GitHub and identified that if these three vulnerabilities were exploited by the hackers then they would be able to do the following things:-

  • Delete documentation files from other people’s projects.
  • Remove roles in other people’s projects.
  • Run bash commands in the PyPI codebase itself using GitHub Actions.

Vulnerability in Legacy Document Deletion on PyPI

This security flaw is exploitable in the mechanisms for deleting legacy documentation hosting deployment tooling on PyPI. Also it allows a hacker to remove documentation for projects that are not under…

View original post 243 more words

Leave a Reply

Please log in using one of these methods to post your comment: Logo

You are commenting using your account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.