Cybersecurity experts have identified vulnerabilities in legacy Python packages that may allow supply chain attacks through domain takeover, particularly targeting the PyPI ecosystem. Malicious actors could exploit these flaws to serve harmful code, risking remote access and data theft. #PyPI #Distribute #DomainTakeover
Keypoints
- The vulnerability exists in the bootstrap scripts used by the zc.buildout tool for legacy Python packages.
- The scripts fetch the now-for-sale domain python-distribute.org, creating potential for malicious code injection if compromised.
- Many packages, including Tornado and slapos.core, still ship the vulnerable bootstrap scripts, increasing attack surface risks.
- The bootstrap script is written in Python 2, making it incompatible with Python 3 but still exploitable if triggered.
- Recent incidents include malicious PyPI packages like βspellcheckersβ that infect systems with remote access Trojans (RATs).
Read More: https://thehackernews.com/2025/11/legacy-python-bootstrap-scripts-create.html