#1 Trusted Cybersecurity News Platform
The Hacker News Logo
Subscribe to Newsletter

The Hacker News - Most Trusted Cyber Security and Computer Security Analysis: Python Library

Warning: PyPI Feature Executes Code Automatically After Python Package Download

Warning: PyPI Feature Executes Code Automatically After Python Package Download

September 02, 2022Ravie Lakshmanan
In another finding that could expose developers to increased risk of a supply chain attack, it has emerged that nearly one-third of the packages in PyPI, the Python Package Index, trigger automatic code execution upon downloading them. "A worrying feature in pip/PyPI allows code to automatically run when developers are merely downloading a package," Checkmarx researcher Yehuda Gelb  said  in a technical report published this week. "Also, this feature is alarming due to the fact that a great deal of the malicious packages we are finding in the wild use this feature of code execution upon installation to achieve higher infection rates." One of the ways by which packages can be installed for Python is by executing the " pip install " command, which, in turn, invokes a file called "setup.py" that comes bundled along with the module. "setup.py," as the name implies, is a  setup script  that's used to specify metadata associated wit
Critical Bugs Reported in Popular Open Source PJSIP SIP and Media Stack

Critical Bugs Reported in Popular Open Source PJSIP SIP and Media Stack

March 02, 2022Ravie Lakshmanan
As many as five security vulnerabilities have been disclosed in the PJSIP open-source multimedia communication library that could be abused by an attacker to trigger arbitrary code execution and denial-of-service (DoS) in applications that use the protocol stack. The weaknesses were  identified and reported  by JFrog's Security Research team, following which the project maintainers released patches ( version 2.12 ) last week on February 24, 2022. PJSIP is an open-source embedded  SIP protocol  suite written in C that supports audio, video, and instant messaging features for popular communication platforms such as  WhatsApp  and BlueJeans. It's also  used  by  Asterisk , a widely-used private branch exchange (PBX) switching system for VoIP networks. "Buffers used in PJSIP typically have limited sizes, especially the ones allocated in the stack or supplied by the application, however in several places, we do not check if our usage can exceed the sizes," PJSIP's
Deals — IT Courses and Software

Sign up for our cybersecurity newsletter and get latest news updates delivered straight to your inbox daily.