PyPI Python Package Repository fixes a critical flaw in the supply chain..

02-Aug-21

Last week, the maintainers of Python Package Index (PyPI) released solutions for three vulnerabilities, one of which could be exploited to gain complete control of the official thirdparty software repository and execute arbitrary code.

An adversary could obtain write permission for the main branch of the “pypa/warehouse” repository, and thus execute malicious code on pypi.org, due to a flaw in the GitHub Actions workflow for PyPI’s source repository named “combineprs.yml,” resulting in a scenario where an adversary could obtain write permission for the and execute malicious code on pypi.

Read More…