code execution backdoor

Open di1l0o opened this issue 3 years ago • 1 comments

We found a malicious backdoor in version 1.2 of this project, and its malicious backdoor is the request package. Even if the request package was removed by pypi, many mirror sites did not completely delete this package, so it could still be installed.When using pip3 install keep==1.2 -i http://pypi.doubanio.com/simple --trusted-host pypi.doubanio.com, the request malicious plugin can be successfully installed.

Repair suggestion: delete version 1.2 in PyPI

May 11 '22 11:05 di1l0o

@OrkoHunter Would it be possible to yank this vulnerable version (1.2) from PyPI, to prevent the issue described above?

Aug 23 '23 15:08 facutuesca