Deleted package detected

[ashishbijlani]

I'm a Cyber Security researcher and developer of PackjGuard [1] to address open-source software supply chain attacks.

Issue

During my research, I detected a deleted package in this repository.

Details

Specifically, the package vidiopy mentioned in file README at line 10 does not exist on the public PyPI registry. A bad actor can hijack this package to propagate malicious code.

Impact

Not only your apps/services using https://github.com/SohamTilekar/vidiopy repo code are vulnerable to this attack, but the users of your open-source Github repo could also fall victim.

You could read more about such attacks here: https://medium.com/@alex.birsan/dependency-confusion-4a5d60fec610

Remediation

Please highlight this in file README and register a placeholder package for vidiopy on public PyPI soon to remediate.

To automatically fix such issues in future, please install PackjGuard Github app [1].

Thanks!

1. PackjGuard is a Github app that monitors your repos 24x7, detects vulnerable/malicious/risky open-source dependencies, and creates pull requests for auto remediation: https://github.com/marketplace/packjguard

[SohamTilekar]

Thanks, But I Already have Secure the vidiopy project name on pypi. There fore it Could not be used by another.
I Already Published Package on the pypi. then I deleted it due to some Problem.
I am going to Publish it again.

[ashishbijlani]

Deleted package names become available for use. An attacker can exploit this vulnerability and register a malicious package.

[SohamTilekar]

I Have a project name assigned on my account.

I only deleted the released version.

[ashishbijlani]

Oh ok. This makes sense. Thanks for providing the details! I will close this issue.