GHSA-x6xg-3fj2-4pq3: `exotel` project on PyPI compromised, malicious release made

August 30, 2024

The exotel project on PyPI was taken over via user account compromise via a phishing attack and a new malicious release made which contained code which some environment variables and downloaded and ran malware at install time

References

github.com/advisories/GHSA-x6xg-3fj2-4pq3
github.com/pypa/advisory-database/tree/main/vulns/exotel/PYSEC-2022-250.yaml
twitter.com/pypi/status/1562442207079976966

Code Behaviors & Features

Detect and mitigate GHSA-x6xg-3fj2-4pq3 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →