CySecurity News – Latest Information Security and Hacking Incidents
GitHub user duxinglin1 has identified three PyPI packages ‘keep,’ ‘pyanxdns,’ and ‘api-res-py’ using a malicious dependency, ‘request,’
Last month, duxinglin1 uncovered the vulnerable versions containing the misspelled ‘request’ dependency, rather than the authentic ‘requests’ library. CVEs assigned to the susceptible versions include:
• CVE-2022-30877 – ‘keep’ version 1.2 contains the backdoor ‘request’,
• CVE-2022-30882 – ‘pyanxdns’ version 0.2 impacted
• CVE-2022-31313 – ‘api-res-py’ version 0.1 impacted
According to duxinglin1, the risk with the ‘Keep’ package is pretty high as it particularly receives over 8,000 downloads per week on average, while it is quite opposite with ‘pyanxdns’ and ‘api-res-py’ as they are small-scale projects.
Two years back in 20
[…]
Content was cut in order to protect the source.Please visit the source for the rest of the article.
[…]
Content was cut in order to protect the source.Please visit the source for the rest of the article.
Read the original article: