CyberSecurity news
FlagThis - #Python
|
info@thehackernews.com (The Hacker News)@The Hacker News
//
PyPI (Python Package Index) has launched a new 'Project Archival' feature, empowering maintainers to mark projects as archived. This signals to users that these projects are no longer actively maintained or expected to receive updates, including crucial security fixes. While archived projects remain installable, the new status alerts developers to the risk of relying on unmaintained packages, thereby promoting more responsible dependency management. Maintainers can archive projects via their settings page on PyPI, prompting a prominent notice to appear on the project's main page.
The new archival system seeks to improve supply chain security by explicitly communicating the maintenance status of projects. This builds on PyPI's existing "project quarantine" framework introduced in late 2024, which allows administrators to mark suspicious projects and prevent their installation. By enabling maintainers to clearly denote the state of archived projects, this feature enhances visibility into the lifecycle of packages. PyPI recommends that package developers release a final version before archiving, including a detailed update in the project description to provide additional context about its status. The archival process is reversible, giving project owners the option to resume maintenance if desired. As part of broader efforts to enhance project lifecycle management within PyPI, further project status labels such as "deprecated" or "unmaintained" may be introduced, along with updates to PyPI's public APIs to allow for easier retrieval of project status information. The goal is to provide a more structured and informative ecosystem for Python developers.
Share:
References :
Classification:
Samarth Mishra@cysecurity.news
//
A malicious Python package named 'set-utils' has been discovered on the Python Package Index (PyPI) repository. This package is designed to steal Ethereum private keys by exploiting commonly used account creation functions. Disguised as a utility for Python sets, the package mimics popular libraries, tricking developers into installing it. Since its appearance, 'set-utils' has been downloaded over 1,000 times, posing a significant threat to Ethereum users and developers, particularly those working with Python-based wallet management libraries. The Python security team has removed the malicious package from PyPI.
The 'set-utils' package operates by silently modifying standard Ethereum wallet creation functions. The private keys are exfiltrated within blockchain transactions via the Polygon RPC endpoint to resist traditional detection efforts. The stolen keys are encrypted using an attacker-controlled RSA public key before transmission, making detection challenging. Even if the package is uninstalled, any Ethereum wallets created while it was active remain compromised. To mitigate these risks, developers should employ regular dependency audits and automated scanning tools to detect malicious behaviors in third-party packages.
Share:
References :
Classification:
MalBot@malware.news
//
Share:
References :
Classification:
|