A new package named 'peloconfig' was added to the Python Package Index (PyPI) with a misleading name to impersonate legitimate Python configuration utilities, potentially tricking developers into installing malicious or compromised dependencies. This attack targets Python developers and projects dependent on PyPI packages, risking supply-chain compromise and unauthorized code execution. The impact is limited to developers who unknowingly install the malicious package, but the attack vector leverages PyPI's namespace reservation policies.
peloconfig added to PyPI
A new package named 'peloconfig' was added to the Python Package Index (PyPI) with a misleading name to impersonate legitimate Python configuration utilities, potentially tricking developers into installing malicious or compromised dependencies. This attack targets Python developers and projects dependent on PyPI packages, risking supply-chain compromise and unauthorized code execution. The impact is limited to developers who unknowingly install the malicious package, but the attack vector leverages PyPI's namespace reservation policies.