Fluid Attacks Database

Description

spam project on PyPI compromised, malicious releases made The spam project on PyPI was taken over via user account compromise via a phishing attack and a new malicious release made which contained code which some environment variables and downloaded and ran malware at install time

Mitigation

Update Impact

Minimal update. May introduce new vulnerabilities or breaking changes.

Ecosystem	Package	Affected version
pypi	spam	=2.0.2 \|\| =4.0.2

Aliases

1. GCVE-GHSA-2r6g-7r83-jg72

References

1. https://github.com/pypa/advisory-database/tree/main/vulns/spam/PYSEC-2022-251.yaml2. https://twitter.com/pypi/status/1562442207079976966

Does your application use this vulnerable software?

During the free trial, our tools assess your application, identify vulnerabilities, and provide recommendations for their remediation.