I'm a Cyber Security researcher and developer of PackjGuard [1] to address open-source software supply chain attacks.

Issue

During my research, I found that this repo is vulnerable to attack due to missing deleted dependency from the public PyPI registry.

Details

Specifically, file https://github.com/WH1T3-E4GL3/white-deface/blob/97c47d6f4cf7c00abe4e446b80446e626f6f3b7f/requirements.txt lists crackmapexec as one of the dependencies. However, it has been deleted from public PyPI. As such, an external bad actor can claim that name and register a malicious package, which will be then installed with pip install command, resulting in arbitrary remote code execution.

Impact

Not only your apps/services using https://github.com/WH1T3-E4GL3/white-deface repo code are vulnerable to this attack, but the users of your open-source Github repo could also fall victim.

You could read more about such attacks here: https://medium.com/@alex.birsan/dependency-confusion-4a5d60fec610

Remediation

Please manually register a placeholder crackmapexec package on PyPI immediately or remove crackmapexec dependency from https://github.com/WH1T3-E4GL3/white-deface/blob/97c47d6f4cf7c00abe4e446b80446e626f6f3b7f/requirements.txt to fix this vulnerability.

To automatically fix such issues in future, please install PackjGuard Github app [1].

Thanks!

1. PackjGuard is a Github app that monitors your repos 24x7, detects vulnerable/malicious/risky open-source dependencies, and creates pull requests for auto remediation: https://github.com/marketplace/packjguard

Great to see your contribution! It's important to remember that the original creator put in a lot of effort to make this project. So, let's give credit where it's due and ensure our contributions benefit the entire community. You can add your improvements to the original repository as a pull request: Original link . Please, let's avoid simply copying and pasting. Thanks for understanding! 😊

Hey brother please help me the tool white deface is not working please answer

I'm a Cyber Security researcher and developer of PackjGuard [1] to address open-source software supply chain attacks.

Issue

During my research, I found that this repo is vulnerable to attack due to deleted dependency from the public PyPI registry.

Details

Specifically, file https://github.com/WH1T3-E4GL3/white-deface/blob/e112d87d290f18eee83dc4425c9b5f02178ec61e/requirements.txt lists sinchsms as one of the dependencies. However, it has been deleted from public PyPI. As such, an external bad actor can claim that name and register a malicious package, which will be then installed with pip install command, resulting in arbitrary remote code execution.

Impact

Not only your apps/services using https://github.com/WH1T3-E4GL3/white-deface repo code are vulnerable to this attack, but the users of your open-source Github repo could also fall victim.

You could read more about such attacks here: https://medium.com/@alex.birsan/dependency-confusion-4a5d60fec610

Remediation

Please manually register a placeholder sinchsms package on PyPI immediately or remove sinchsms dependency from https://github.com/WH1T3-E4GL3/white-deface/blob/e112d87d290f18eee83dc4425c9b5f02178ec61e/requirements.txt to fix this vulnerability.

To automatically fix such issues in future, please install PackjGuard Github app [1].

Thanks!

1. PackjGuard is a Github app that monitors your repos 24x7, detects vulnerable/malicious/risky open-source dependencies, and creates pull requests for auto remediation: https://github.com/marketplace/packjguard

https://www.facebook.com/profile.php?id=100083412624660&mibextid=LQQJ4d