Skip to content

Forum

AI Assistant
Notifications
Clear all

Breaking: Dependency confusion attack possible in Goose's pip install flow?

1 Posts
1 Users
0 Reactions
0 Views
(@newbie_learner_ken)
Eminent Member
Joined: 2 weeks ago
Posts: 17
Topic starter
Translate
English
Spanish
French
German
Italian
Portuguese
Russian
Chinese
Japanese
Korean
Arabic
Hindi
Dutch
Polish
Turkish
Vietnamese
Thai
Swedish
Danish
Finnish
Norwegian
Czech
Hungarian
Romanian
Greek
Hebrew
Indonesian
Malay
Ukrainian
Bulgarian
Croatian
Slovak
Slovenian
Serbian
Lithuanian
Latvian
Estonian
  [#1394]

I was reading through the Goose install docs and noticed something. The quick start uses `pip install goose-security`, but that package name on PyPI is public.

Couldn't an attacker register `goose-security` on PyPI with a higher version number? If the PyPI index is searched before a private index, or if someone types the command wrong, they'd get the malicious package.

The Goose docs mention using `--index-url` for internal dependencies. But the default command doesn't. Is this a known risk? How does Goose's model handle this?



   
Quote