Malicious Package Affecting mjpoytwngddh package, versions [0,]


Severity

Recommended
0.0
critical
0
10

CVSS assessment made by Snyk's Security Team. Learn more

Threat Intelligence

Exploit Maturity
Mature

Do your applications use this vulnerable package?

In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.

Test your applications
  • Snyk IDSNYK-PYTHON-MJPOYTWNGDDH-6483334
  • published25 Mar 2024
  • disclosed25 Mar 2024
  • creditCheckmarx Research Team

Introduced: 25 Mar 2024

Malicious CVE NOT AVAILABLE CWE-506  (opens in a new tab)

How to fix?

Avoid using all malicious instances of the mjpoytwngddh package.

Overview

mjpoytwngddh is a malicious package.

This instance of the mjpoytwngddh package contains malware and attempts to compromise users by adopting dependency confusion techniques. A dependency confusion attack is a type of supply chain attack where malicious software is inserted into the development process by replacing a legitimate software package with a malicious one.

Note: Users are exposed if they've installed the mjpoytwngddh package from public repositories. Installations of this package from private repositories or CDNs are likely safe to use.

This package is part of an attack campaign targeting the software supply chain, with evidence of successful exploitation of multiple victims. The threat actors used multiple TTPs in this attack, including account takeover via stolen browser cookies, contributing malicious code with verified commits, setting up a custom Python mirror, and publishing malicious packages to the PyPi registry.

These spoofed packages have no relation to the company or project they are attempting to spoof, and are not published by them or associated with them in any way. Out of an abundance of caution, Snyk will mark any occurrence of the package as malicious, regardless of download source. Only the user can determine with certainty whether it is the intended package and can be safely ignored.

References

CVSS Scores

version 3.1