query-profile 0.0.1__py3-none-any.whl
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
|
@@ -0,0 +1,10 @@
|
|
|
1
|
+
"""
|
|
2
|
+
query-profile — DEPENDENCY CONFUSION POC
|
|
3
|
+
|
|
4
|
+
This package exists solely to prove that the 'query-profile' name
|
|
5
|
+
was unclaimed on PyPI while being referenced in Apple's documentation.
|
|
6
|
+
|
|
7
|
+
No malicious functionality is included.
|
|
8
|
+
"""
|
|
9
|
+
|
|
10
|
+
__version__ = "0.0.1"
|
|
@@ -0,0 +1,14 @@
|
|
|
1
|
+
"""
|
|
2
|
+
query-profile — DEPENDENCY CONFUSION PROOF OF CONCEPT
|
|
3
|
+
|
|
4
|
+
This package exists to demonstrate that the 'query-profile' name
|
|
5
|
+
was unclaimed on PyPI while being referenced in Apple's official
|
|
6
|
+
ml-health-query-profiles repository (https://github.com/apple/ml-health-query-profiles).
|
|
7
|
+
|
|
8
|
+
This package contains NO malicious code. See README.md for details.
|
|
9
|
+
"""
|
|
10
|
+
|
|
11
|
+
if __name__ == "__main__":
|
|
12
|
+
print("query-profile: This is a dependency confusion proof-of-concept package.")
|
|
13
|
+
print("No malicious functionality is included.")
|
|
14
|
+
print("See: https://github.com/apple/ml-health-query-profiles")
|
|
@@ -0,0 +1,28 @@
|
|
|
1
|
+
Metadata-Version: 2.4
|
|
2
|
+
Name: query-profile
|
|
3
|
+
Version: 0.0.1
|
|
4
|
+
Summary: DEPENDENCY CONFUSION POC — This package name was unclaimed on PyPI. Claimed by security researcher to demonstrate the attack surface in Apple's ml-health-query-profiles repository.
|
|
5
|
+
Author: L0bo
|
|
6
|
+
License: MIT
|
|
7
|
+
Requires-Python: >=3.10
|
|
8
|
+
Description-Content-Type: text/markdown
|
|
9
|
+
|
|
10
|
+
# query-profile
|
|
11
|
+
|
|
12
|
+
**⚠️ DEPENDENCY CONFUSION PROOF OF CONCEPT ⚠️**
|
|
13
|
+
|
|
14
|
+
This package name (`query-profile`) was identified as **unclaimed on PyPI** while being directly referenced in Apple's official open-source repository:
|
|
15
|
+
|
|
16
|
+
- **Repository**: [apple/ml-health-query-profiles](https://github.com/apple/ml-health-query-profiles)
|
|
17
|
+
- **Affected file**: [docs/TUTORIAL.md](https://github.com/apple/ml-health-query-profiles/blob/HEAD/docs/TUTORIAL.md)
|
|
18
|
+
- **Issue**: The tutorial instructs users to run `pip install query-profile`, but Apple never published this package to PyPI.
|
|
19
|
+
|
|
20
|
+
This package is a **harmless proof of concept** — it does nothing except demonstrate that the package name was unclaimed and could be registered by an attacker. In a real attack, a malicious package under this name could:
|
|
21
|
+
|
|
22
|
+
- Steal OpenAI/Anthropic/Azure API keys
|
|
23
|
+
- Exfiltrate sensitive health query data
|
|
24
|
+
- Install backdoors or persistence mechanisms
|
|
25
|
+
|
|
26
|
+
---
|
|
27
|
+
|
|
28
|
+
*This package was published for responsible disclosure purposes only. No malicious code is included.*
|
|
@@ -0,0 +1,5 @@
|
|
|
1
|
+
query_profile/__init__.py,sha256=GGI86E5UCojWFxiTHAIoi1FWx-m4-byx_QtBb9uuEOY,253
|
|
2
|
+
query_profile/__main__.py,sha256=u8CURbGZuBfis-vmMfW3FKTbcbNHHjpRHhgpWD4itKo,587
|
|
3
|
+
query_profile-0.0.1.dist-info/METADATA,sha256=0HXCpMFpJ7GL-lVvFb2k1GaqxJpnBcwPFdoaVansNDM,1374
|
|
4
|
+
query_profile-0.0.1.dist-info/WHEEL,sha256=mffPy8wBnZQn2VnJUU5jE99KsxaSfiyMHV9Yt0aLVxs,87
|
|
5
|
+
query_profile-0.0.1.dist-info/RECORD,,
|