Fluid Attacks Database

Description

The spam project on PyPI was taken over via user account compromise via a phishing attack and a new malicious release made which contained code which some environment variables and downloaded and ran malware at install time

Mitigation

Update Impact

Minimal update. May introduce new vulnerabilities or breaking changes.

Ecosystem	Package	Affected version
pypi	spam	=2.0.2 \|\| =4.0.2 \|\| >=2.0.2

Aliases

1. OSV-PYSEC-2022-2512. GCVE-PYSEC-2022-251

References

1. https://twitter.com/pypi/status/1562442207079976966

Does your application use this vulnerable software?

During the free trial, our tools assess your application, identify vulnerabilities, and provide recommendations for their remediation.