Workload misconfigurations

PyPi package potentially vulnerable to dependency confusion attack

Platform(s)
  • Non-platform specific

Compliance Frameworks
  • CPRA
  • ,
  • iso_27001_2022
  • ,
  • iso_27002_2022
  • ,
  • NIST 800-53

Description

A Dependency Confusion attack occurs when a software installer script is tricked into pulling a malicious package from a public repository instead of the intended file of the same name from an internal repository. It was found that the package was found missing from PyPI Public Registry. A bad actor can abuse such scenario to create a malicious PyPI package and register it in the public PyPI Registry with the same name.