CVE-2022-30877: 
Python vulnerability analysis and mitigation

The keep package for Python, as distributed on PyPI, included a code-execution backdoor in version 1.2 that was inserted by a third party. The package, which gets downloaded over 8,000 times per week on average, contained a malicious dependency called 'request' (without 's') that was designed to steal sensitive information (BleepingComputer, NVD).

The vulnerability stems from the inclusion of a malicious dependency called 'request' instead of the legitimate 'requests' HTTP library. The malicious package contained base64-encoded URLs pointing to malware files: 'check.so' (a Remote Access Trojan) and 'x.pyx' (an info-stealer). The info-stealing trojan was designed to steal cookies and personal information from various web browsers including Chrome, Firefox, Yandex, and Brave. The vulnerability has been assigned a CVSS v3.1 base score of 9.8 (CRITICAL) with vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H (NVD).

The malicious code could steal login credentials and passwords stored in web browsers, potentially leading to account compromises and further supply-chain attacks. After obtaining access to user credentials, threat actors could attempt to compromise other accounts used by the developer (BleepingComputer).

The current version of keep, without the backdoor, is version 1.2. Users should ensure they are not using the compromised version and should update to the latest clean version. Organizations should also verify they are not pulling packages from potentially compromised mirror sites (NVD).

The incident was initially discovered by GitHub user duxinglin1 who noticed the vulnerable versions contained the misspelled 'request' dependency. Investigation revealed this was likely due to a typographical error rather than an account compromise, highlighting how innocent typing mistakes can inadvertently lead to successful typosquatting attacks (BleepingComputer).