GHSA-gvvw-rr8m-fj76: uniapi version 1.0.7 contained an information harvesting script.
(updated )
uniapi version 1.0.7 introduces code that would execute on import of the module and download a script from a remote URL, and would then execute the downloaded script in a thread. The downloaded script would harvest system information and POST the information to another remote URL. This code was found in the PyPI release artifacts and was not present in the public GitHub repository.
References
- github.com/advisories/GHSA-gvvw-rr8m-fj76
- github.com/kam193/package-campaigns/blob/main/pypi/campaigns/highly_suspicious/2025-01-uniapi.json
- github.com/pypa/advisory-database/tree/main/vulns/uniapi/PYSEC-2025-2.yaml
- inspector.pypi.io/project/uniapi/1.0.7/packages/0f/40/c6e06c22bbc22ef45f40bf5a7711763fa08fec4d16b4718d86fd60970131/uniapi-1.0.7.tar.gz/uniapi-1.0.7/uniapi/__init__.py
Detect and mitigate GHSA-gvvw-rr8m-fj76 with GitLab Dependency Scanning
Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →