Ecosyste.ms: Advisories
An open API service providing security vulnerability metadata for many open source software ecosystems.
Security Advisories: GSA_kwCzR0hTQS0ycjZnLTdyODMtamc3Ms4AA_D_
`spam` project on PyPI compromised, malicious releases made
The spam project on PyPI was taken over via user account compromise via a phishing attack and a new malicious release made which contained code which some environment variables and downloaded and ran malware at install time
JSON: https://advisories.ecosyste.ms/api/v1/advisories/GSA_kwCzR0hTQS0ycjZnLTdyODMtamc3Ms4AA_D_
Source: GitHub Advisory Database
Origin: Unspecified
Severity: High
Classification: General
Published: 3 months ago
Updated: 3 months ago
Identifiers: GHSA-2r6g-7r83-jg72
References:
- https://github.com/pypa/advisory-database/tree/main/vulns/spam/PYSEC-2022-251.yaml
- https://twitter.com/pypi/status/1562442207079976966
- https://github.com/advisories/GHSA-2r6g-7r83-jg72
Affected Packages
pypi:spam
Dependent packages: 1Dependent repositories: 7
Downloads: 6,118 last month
Affected Version Ranges: = 4.0.2, = 2.0.2
No known fixed version
All affected versions: 2.0.2, 4.0.2