Workload misconfigurations

PyPi package potentially vulnerable to dependency confusion attack

Platform(s)

  • Non-platform specific

Compliance Frameworks

CPRA, iso_27001_2022, iso_27002_2022, NIST 800-53

Description

A Dependency Confusion attack occurs when a software installer script is tricked into pulling a malicious package from a public repository instead of the intended file of the same name from an internal repository. It was found that the package was found missing from PyPI Public Registry. A bad actor can abuse such scenario to create a malicious PyPI package and register it in the public PyPI Registry with the same name.
Need help?

Get a free Security Risk Assessment. Start today

A screenshot of the Orca platform dashboard summarizing all of your cloud security risks

Personalized Demo

See Orca Security in Action

Gain visibility, achieve compliance, and prioritize risks with the Orca Cloud Security Platform.

Get a Demo