Security research PoC - pip takeover for DataDog dd-trace-api-py

Navigation

Verified details

These details have been verified by PyPI
Maintainers
Avatar for anupamas01_1 from gravatar.com anupamas01_1

Unverified details

These details have not been verified by PyPI
Meta
  • License: MIT
  • Author: AnupamAS01
  • Tags security-research , proof-of-concept
Report project as malware

Project description

dd-trace-api-py

Security Research - Package Takeover PoC

This package was registered as part of responsible security research.

The package name dd-trace-api-py is referenced in official Datadog documentation (dd-trace-api-py quickstart) but was not registered on PyPI, making it vulnerable to supply chain takeover via pip install dd-trace-api-py.

The real Datadog tracer package on PyPI is ddtrace — docs use a different name.

Impact

Any developer following official docs who runs the documented command would execute attacker-controlled code.

This package is harmless

It only prints a warning message. No data is collected.

Researcher

AnupamAS01

Project details

Verified details

These details have been verified by PyPI
Maintainers
Avatar for anupamas01_1 from gravatar.com anupamas01_1

Unverified details

These details have not been verified by PyPI
Meta
  • License: MIT
  • Author: AnupamAS01
  • Tags security-research , proof-of-concept

Release history Release notifications | RSS feed

This version

0.0.1

Download files

Download the file for your platform. If you're not sure which to choose, learn more about installing packages.

Source Distribution

dd_trace_api_py-0.0.1.tar.gz (2.1 kB view details)

Uploaded Source

Built Distribution

If you're not sure about the file name format, learn more about wheel file names.

dd_trace_api_py-0.0.1-py3-none-any.whl (2.6 kB view details)

Uploaded Python 3

File details

Details for the file dd_trace_api_py-0.0.1.tar.gz.

File metadata

  • Download URL: dd_trace_api_py-0.0.1.tar.gz
  • Upload date:
  • Size: 2.1 kB
  • Tags: Source
  • Uploaded using Trusted Publishing? No
  • Uploaded via: twine/6.2.0 CPython/3.12.3

File hashes

Hashes for dd_trace_api_py-0.0.1.tar.gz
Algorithm Hash digest
SHA256 248f596e021d16d023a509860ae2e4652712a359948aa6ed52c8999e79ebb0da
MD5 e735b089ea94556cd6355ff89f20af37
BLAKE2b-256 c02f2c918a096d31b701cf30ac47a10214191d70a6412767848d9ecaee450f3a

See more details on using hashes here.

File details

Details for the file dd_trace_api_py-0.0.1-py3-none-any.whl.

File metadata

File hashes

Hashes for dd_trace_api_py-0.0.1-py3-none-any.whl
Algorithm Hash digest
SHA256 9f1348b2b85ff204dbb9f46a849ab4830eb265358b13bdde58d61a56dbcf3004
MD5 66b2e64e9e5b676a58d4f9ea54bda123
BLAKE2b-256 903ff6842204fc6f7b8a294498afebce40077c41a957fc5a1c68b0f76072cef1

See more details on using hashes here.

Supported by

AWS Cloud computing and Security Sponsor Datadog Monitoring Depot Continuous Integration Fastly CDN Google Download Analytics Pingdom Monitoring Sentry Error logging StatusPage Status page