Security: Dependency Confusion
The package conidk in requirements.txt was not registered on PyPI, making this project vulnerable to a dependency confusion attack.
pip resolves packages from PyPI by default. An attacker can register a package with the same name and pip will silently install it instead of the intended internal package.
Proof of Concept
The package name conidk was registered on PyPI as a demonstration: https://pypi.org/project/conidk/
No malicious code was included — the package is empty.
Recommended Fix
Option 1: Register and own conidk on PyPI officially
Option 2: Use --index-url pointing to your private registry
Option 3: Rename to a namespaced package e.g. google-conidk
Patch: e29a052
References
Security: Dependency Confusion
The package
conidkin requirements.txt was not registered on PyPI, making this project vulnerable to a dependency confusion attack.pip resolves packages from PyPI by default. An attacker can register a package with the same name and pip will silently install it instead of the intended internal package.
Proof of Concept
The package name
conidkwas registered on PyPI as a demonstration: https://pypi.org/project/conidk/No malicious code was included — the package is empty.
Recommended Fix
Option 1: Register and own
conidkon PyPI officiallyOption 2: Use
--index-urlpointing to your private registryOption 3: Rename to a namespaced package e.g.
google-conidkPatch: e29a052
References