Thousands of abandoned PyPI projects could be hijacked: Report
- by nlqip
“The problem is that while this is being discussed, attackers can already use this method to gain code execution on many PyPI users as we’ve demonstrated.”
Advice for CISOs, app leaders
Infosec leaders should warn their staff that a new version of a package can potentially include malicious code, he said, even if the last version of the package was completely fine. Upgrading is dangerous, even on a previously-trusted package, he added.
Before deciding to upgrade a package, scan or inspect the latest version of that package to make sure it is safe, he urged. In addition, JFrog recommends upgrading to a new package version only after that version has existed publicly for at least 14 days, since after that time interval, package hijack attempts have usually been discovered
Source link
lol
“The problem is that while this is being discussed, attackers can already use this method to gain code execution on many PyPI users as we’ve demonstrated.” Advice for CISOs, app leaders Infosec leaders should warn their staff that a new version of a package can potentially include malicious code, he said, even if the last…
Recent Posts
- Cisco Releases Security Updates for Cisco Smart Licensing Utility | CISA
- Ivanti fixes maximum severity RCE bug in Endpoint Management software
- New PIXHELL acoustic attack leaks secrets from LCD screen noise
- Microsoft Releases September 2024 Security Updates | CISA
- Critical Patches Issued for Microsoft Products, September 10, 2024