The author of mitmproxy, a tool for analyzing HTTP/HTTPS traffic, drew attention to the appearance of a fork of his project in the PyPI (Python Package Index) directory of Python packages. The fork was distributed under the similar name mitmproxy2 and the non-existent version 8.0.1 (current release mitmproxy 7.0.4) with the expectation that inattentive users would perceive the package as a new edition of the main project (typesquatting) and would want to try the new version.
In its composition, mitmproxy2 was similar to mitmproxy, with the exception of changes with the implementation of malicious functionality. The changes consisted of stopping setting the HTTP header βX-Frame-Options: DENYβ, which prohibits the processing of content inside the iframe, disabling protection against XSRF attacks and setting the headers βAccess-Control-Allow-Origin: *β, βAccess-Control- Allow-Headers: *" and "Access-Control-Allow-Methods: POST, GET, DELETE, OPTIONS".
These changes removed restrictions on access to the HTTP API used to manage mitmproxy via the Web interface, which allowed any attacker located on the same local network to organize the execution of their code on the userβs system by sending an HTTP request.
The directory administration agreed that the changes made could be interpreted as malicious, and the package itself as an attempt to promote another product under the guise of the main project (the description of the package stated that this was a new version of mitmproxy, not a fork). After removing the package from the catalog, the next day a new package, mitmproxy-iframe, was posted to PyPI, the description of which also completely matched the official package. The mitmproxy-iframe package has also now been removed from the PyPI directory.
Source: opennet.ru