A Python package called 'mitmproxy2' was pulled off from the PyPI repository because it was a replica of the official "mitmproxy" library, though with an "artificially introduced" code execution flaw.
The official Python library 'mitmproxy' is a free and open-source engaging HTTPS proxy that gets over 40,000 weekly downloads.
Mitmproxy is an open-source proxy program that uses a man-in-the-middle technique to monitor HTTP and HTTPS connections between any HTTP(S) client (such as a mobile or desktop browser) and a web server (MITM).
Maximilian Hils, one of the developers of the 'mitmproxy' Python library, brought everyone else's attention to a fake'mitmproxy2' package submitted to PyPI, on the 11th of October.
"mitmproxy2" is near "the same as regular mitmproxy, but with an artificial RCE vulnerability included."
As Hils told Bleeping Computer, his biggest worry is that certain software developers would misunderstand 'mitmproxy2' for a newer version of 'mitmproxy,' resulting in vulnerable code being accidentally included in their products. Whilst investigating an unconnected PyPI warehouse problem, Hils came across this imitation package via "happy little accident".
"When you run mitmproxy's web interface, we expose an HTTP API for that. If you remove all safeguards from that API, everyone on the same network can execute code on your machine with a single HTTP request," Hils told Bleeping Computer in an email interview.
It's also unclear if the person who released the copycat 'mitmproxy2' software did the same with malevolent purposes or just because of poor coding techniques. It would have been much easier to just put some harmful code that is immediately executed upon installation.
However, the issue is that if one uploads it to PyPI as 'mitmproxy2' with a version number that says it's newer/superseded, users will undoubtedly download it without realizing the changes.
While investigating 'mitmproxy2,' BleepingComputer noticed that a new package called 'mitmproxy-iframe' had also arrived on the PyPI repository less than a day after 'mitmproxy2' was deleted.
Since anyone can upload packages to open-source ecosystems, cybersecurity threats and attacks such as virus injection, typosquatting, brandjacking, and dependency misunderstanding have increased significantly in recent years.
Such "whack-a-mole" problems will always repeat themselves unless actual validations are implemented by open-source registries.
