CVE-2022-42039

Vulnerability

The d8s-lists package for Python, distributed on PyPI, included a potential code-execution backdoor in version 0.1.0 [1]. The backdoor is introduced through the democritus-dicts package, which is a dependency loaded by the project [2]. When a user installs d8s-lists==0.1.0, the democritus-dicts package is also installed, containing arbitrary malicious code [2].

Exploitation

An attacker can upload a malicious democritus-dicts package to PyPI with the same name and version required by d8s-lists [2]. When a user runs pip install d8s-lists==0.1.0, the attacker's package is automatically downloaded and executed as part of the dependency resolution [2]. No additional user interaction or special privileges are needed beyond installing the package.

Impact

Successful exploitation gives the attacker arbitrary code execution in the context of the user who installed the package [2]. This can lead to full compromise of the user's system, including data exfiltration, installation of further malware, or other malicious actions, depending on the payload.

Mitigation

Version 0.1.0 is affected; no fixed version has been released [2]. The project maintainers suggest removing version 0.1.0 from PyPI [2]. Users should avoid installing or using d8s-lists==0.1.0 and instead use a different or later version if available. Check the PyPI page for updates [1].