Vulnerability in legacy Python packages exposes PyPI supply chain to takeover attacks
Cybersecurity researchers have discovered vulnerable code in outdated Python packages that could pave the way for a supply chain compromise attack on the Python Package Index (PyPI) via a domain takeover technique. Software supply chain security company ReversingLabs identified the vulnerability in bootstrap files provided by a build and deployment automation tool called zc.buildout. The Risk of Takeover by Legacy Packages The problem lies in an old bootstrap script (bootstrap.py) that was used with zc.buildout to initialize the environment. This script had the ability to install the “Distribute” packaging utility, a short-lived fork of the Setuptools project. To do this, the Distribute installation script (distribute_setup.py) is downloaded from the python-distribute[.]org domain. ...