all InfoSec news logo
all InfoSec news - Your InfoSec news aggregator
Log in Sign up
all InfoSec news

Malicious Python Packages and Code Execution via pip download

Add to bookmarks
e
Sept. 9, 2022, 11:30 p.m. |

Embrace The Red embracethered.com

This week I learned about a design flaw with pip download, which allows an adversary to run arbitrary code.
I assumed that running pip install means anything could happen, but pip download seems a bit surprising.
Both seem useful for red teaming though.
Background This post from Yehuda Gelb named Automatic Execution of Code Upon Package Download on Python Package Manager which the Security Now! podcast pointed me towards.
The post highlights that just running pip download can compromise your …

code code execution download malicious pip python

Visit resource

More from embracethered.com / Embrace The Red

Em
Bobby Tables but with LLM Apps - Google NotebookML Data Exfiltration 1 week, 3 days ago | embracethered.com
apps can chat control +19
Em
HackSpaceCon 2024: Short Trip Report, Slides and Rocket Launch 1 week, 4 days ago | embracethered.com
center class conference dave +14
Em
Google AI Studio Data Exfiltration via Prompt Injection - Possible Regression and Fix 2 weeks, 3 days ago | embracethered.com
data data exfiltration discipline easier +14
Em
The dangers of AI agents unfurling hyperlinks and what to do about it 3 weeks, 1 day ago | embracethered.com
agents ai agents ai chatbots attackers +11
Em
ASCII Smuggler - Improvements 1 month, 3 weeks ago | embracethered.com
ascii decode decoding end +11
Em
Who Am I? Conditional Prompt Injection Attacks with Microsoft Copilot 1 month, 3 weeks ago | embracethered.com
applications attackers attacks building +23
Em
Google Gemini: Planting Instructions For Delayed Automatic Tool Invocation 2 months ago | embracethered.com
attacker automatic bard called +11
Em
ChatGPT: Lack of Isolation between Code Interpreter sessions of GPTs 2 months, 1 week ago | embracethered.com
bug chatgpt code disclosure +11
Em
Video: ASCII Smuggling and Hidden Prompt Instructions 2 months, 1 week ago | embracethered.com
ascii beyond block call +8

Jobs in InfoSec / Cybersecurity

Post a job on infosec-jobs.com Find talent on infosec-jobs.com

SOC 2 Manager, Audit and Certification

@ Deloitte | US and CA Multiple Locations
View on infosec-jobs.com

Security Engineer, Infrastructure Protection

@ Google | Hyderabad, Telangana, India
View on infosec-jobs.com

Senior Security Software Engineer

@ Microsoft | London, London, United Kingdom
View on infosec-jobs.com

Consultor Ciberseguridad (Cadiz)

@ Capgemini | Cádiz, M, ES
View on infosec-jobs.com

Cyber MS MDR - Sr Associate

@ KPMG India | Bengaluru, Karnataka, India
View on infosec-jobs.com

Privacy Engineer, Google Cloud Privacy

@ Google | Pittsburgh, PA, USA; Raleigh, NC, USA
View on infosec-jobs.com
View more jobs