A cikin kundin adireshin kunshin PyPI (Python Package Index) fakitin mugunta""Kuma"", wanda marubuci ɗaya ne olgired2017 ya ɗora su kuma ya canza su azaman shahararrun fakiti""Kuma"" (an bambanta ta hanyar amfani da alamar "I" (i) maimakon "l" (L) a cikin sunan). Bayan shigar da takamaiman fakiti, maɓallan ɓoyewa da bayanan mai amfani na sirri da aka samo a cikin tsarin an aika zuwa sabar maharin. Yanzu an cire fakitin matsala daga kundin adireshin PyPI.
Lambar ƙeta ita kanta tana cikin kunshin "jeIlyfish", kuma kunshin "python3-dateutil" yayi amfani da shi azaman abin dogaro.
An zaɓi sunayen bisa ga masu amfani da ba su kula da su ba waɗanda suka yi typos lokacin bincike (). An zazzage fakitin ƙeta "jeIlyfish" kimanin shekara guda da ta gabata, a ranar 11 ga Disamba, 2018, kuma ya kasance ba a gano ba. Kunshin "python3-dateutil" an ɗora shi a ranar 29 ga Nuwamba, 2019 kuma bayan 'yan kwanaki ya haifar da tuhuma a tsakanin ɗaya daga cikin masu haɓakawa. Ba a bayar da bayani kan adadin shigarwa na fakitin ɓarna ba.
Kunshin jellyfish ya haɗa da lambar da ta zazzage jerin “hashes” daga wurin ajiyar tushen GitLab na waje. Binciken dabaru don yin aiki tare da waɗannan “hashes” ya nuna cewa sun ƙunshi rubutun da aka rufaffen amfani da aikin base64 kuma an ƙaddamar da su bayan yanke hukunci. Rubutun ya samo maɓallan SSH da GPG a cikin tsarin, da kuma wasu nau'ikan fayiloli daga kundin adireshi na gida da takaddun shaida don ayyukan PyCharm, sa'an nan kuma aika su zuwa uwar garken waje da ke gudana akan kayan aikin girgije na DigitalOcean.
source: budenet.ru