GHSA-xm4r-5rj9-2pg3: gratient 0.5 contains credential harvesting code
gratient is a user-facing library for generating color gradients of text. Version 0.5 contained obfuscated, malicious code targeting Windows platforms, harvesting information and credentials from the user’s system and sending them to a remote server. Services may include Mullvad VPN and Telegram.
References
- github.com/advisories/GHSA-xm4r-5rj9-2pg3
- github.com/pypa/advisory-database/tree/main/vulns/gratient/PYSEC-2024-1.yaml
- inspector.pypi.io/project/gratient/0.5/packages/c5/c5/353e45fa57fa5f1b2b42fa24a029cdfb018d7263850fb43b6d6352157734/gratient-0.5-py3-none-any.whl/gratient/__init__.py
- pypi.org/project/gratient
Detect and mitigate GHSA-xm4r-5rj9-2pg3 with GitLab Dependency Scanning
Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →