“The problem is that while this is being discussed, attackers are already able to use this method to get code usage from many PyPI users as we have shown.”
Advice for CISOs, application leaders
Infosec leaders should warn their employees that a new version of the package can inject malicious code, he said, even if the last version of the package is perfectly fine. Upgrades are risky, even in a previously trusted package, he added.
Before deciding to upgrade a package, scan or test the latest version of that package to make sure it’s safe, ask. In addition, JFrog recommends upgrading to a new package version only after that version has been publicly available for at least 14 days, as after that cooling-off period, package hijacking attempts have usually been detected.
Source link