PyPI possible watering hole attack using unmet dependency `roslib`

Hello!

https://github.com/RaymondKirk/topic_store/blob/ad8c8578a6a3bff83b04caa427784d6be82a420e/src/extra_requirements.txt#L11

https://github.com/RaymondKirk/topic_store/blob/ad8c8578a6a3bff83b04caa427784d6be82a420e/src/setup.py#L38

This unmet dependency on library `roslib` (https://pypi.org/project/roslib/) may be registered in pypi by intruder.

This way intruder can:
- register `roslib` on pypi to execute malicious code in `topic-store` (at least in versions `0.1.8` and `0.1.7`).
- register `roslib` and add `topic_store` as a dependency of opensource package. `topic_store` library seems to be useful for manipulating with ROS messages, this way it won't be unusial to use it.
- register `roslib` + non-malicious typosquatted library (e.g. `eequests`) which will depends on `topic_store` - looks like good supply chain attack)

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

PyPI possible watering hole attack using unmet dependency `roslib` #28

Metadata

Assignees

Labels

Projects

Milestone

Relationships

Development

PyPI possible watering hole attack using unmet dependency roslib #28

Description

Metadata

Metadata

Assignees

Labels

Projects

Milestone

Relationships

Development

Issue actions

PyPI possible watering hole attack using unmet dependency `roslib` #28