Embedded Malicious Code Affecting uniapi package, versions [1.0.7]


Severity

Recommended
0.0
critical
0
10

CVSS assessment made by Snyk's Security Team. Learn more

Do your applications use this vulnerable package?

In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.

Test your applications
  • Snyk IDSNYK-PYTHON-UNIAPI-8663478
  • published28 Jan 2025
  • disclosed27 Jan 2025
  • creditKamil Mańkowski

Introduced: 27 Jan 2025

Malicious CVE NOT AVAILABLE CWE-506  (opens in a new tab)

How to fix?

Avoid using all malicious instances of the uniapi package.

Overview

uniapi is an A Universal API Framework.

Affected versions of this package are vulnerable to Embedded Malicious Code which contains code that executes upon importing the module. This code downloads a script from a remote URL and executes it in a thread. The downloaded script collects system information and sends it via a POST request to another remote URL.

CVSS Scores

version 4.0
version 3.1