Security Alert PyPI removes 'mitmproxy2' over code execution concerns

LASER_oneXM

Level 37
Verified
Feb 4, 2016
2,596
The PyPI repository has removed a Python package called 'mitmproxy2' that was an identical copy of the official "mitmproxy" library, but with an "artificially introduced" code execution vulnerability.
The official 'mitmproxy' Python library is a free and open-source interactive HTTPS proxy with over 40,000 weekly downloads.

Copycat package could trick devs into falling for 'newer' version​

Yesterday, Maximilian Hils, who is one of the developers behind the 'mitmproxy' Python library drew everyone's attention towards a counterfeit 'mitmproxy2' package uploaded to PyPI.

'mitmproxy2' is essentially "the same as regular mitmproxy but with an artificial RCE vulnerability included."
 
Top