Workload misconfigurations

PyPi package potentially vulnerable to dependency confusion attack

Platform(s)
  • N/A

Description

A Dependency Confusion attack occurs when a software installer script is tricked into pulling a malicious package from a public repository instead of the intended file of the same name from an internal repository. It was found that the package was found missing from PyPI Public Registry. A bad actor can abuse such scenario to create a malicious PyPI package and register it in the public PyPI Registry with the same name.
  • Recommended Mitigation

    To remediate a potential PIP dependency confusion, consider the following steps. Firstly, conduct an audit using tools like pipdeptree or vulnerability scanners to identify vulnerable packages in your Python project. Secondly, pin dependencies to specific versions in your project's requirements.txt or Pipfile.lock files to ensure precise versions are installed. Additionally, utilize trusted package indexes such as PyPI and avoid installing packages from untrusted or unfamiliar sources. Remove or replace any suspicious or unauthorized packages detected during the audit. Lastly, regularly update dependencies by reviewing and upgrading them using commands like pip install --upgrade or using package management tools like pipenv or poetry.