Supply Chain Attack By New Malicious Python Package, 'Web3-Essential'
Fortinet News, February 2nd, 2023
The FortiGuard Labs team has discovered another new 0-day attack in a PyPI package (Python Package Index) called 'web3-essential'.
web3-essential was discovered on January 30, 2023, by monitoring an open-source ecosystem. The package was published on January 26, 2023, the same day as its author, 'Trexon', joined the repository. Given the frequency of this pattern of simultaneously joining and publishing, it may be a wise idea to take precautions for downloading packages published by newly joined authors.
The author included a brief description of the project along with a unique version number of '1.0.4b0' as if to try and avoid suspicion.