Thousands of abandoned PyPI projects could be hijacked: Report
- by nlqip
“The problem is that while this is being discussed, attackers can already use this method to gain code execution on many PyPI users as we’ve demonstrated.”
Advice for CISOs, app leaders
Infosec leaders should warn their staff that a new version of a package can potentially include malicious code, he said, even if the last version of the package was completely fine. Upgrading is dangerous, even on a previously-trusted package, he added.
Before deciding to upgrade a package, scan or inspect the latest version of that package to make sure it is safe, he urged. In addition, JFrog recommends upgrading to a new package version only after that version has existed publicly for at least 14 days, since after that time interval, package hijack attempts have usually been discovered
Source link
lol
“The problem is that while this is being discussed, attackers can already use this method to gain code execution on many PyPI users as we’ve demonstrated.” Advice for CISOs, app leaders Infosec leaders should warn their staff that a new version of a package can potentially include malicious code, he said, even if the last…
Recent Posts
- Arm To Seek Retrial In Qualcomm Case After Mixed Verdict
- Jury Sides With Qualcomm Over Arm In Case Related To Snapdragon X PC Chips
- Equinix Makes Dell AI Factory With Nvidia Available Through Partners
- AMD’s EPYC CPU Boss Seeks To Push Into SMB, Midmarket With Partners
- Fortinet Releases Security Updates for FortiManager | CISA