Privacy Ninja



        • Secure your network against various threat points. VA starts at only S$1,000, while VAPT starts at S$4,000. With Price Beat Guarantee!

        • API Penetration Testing
        • Enhance your digital security posture with our approach that identifies and addresses vulnerabilities within your API framework, ensuring robust protection against cyber threats targeting your digital interfaces.

        • On-Prem & Cloud Network Penetration Testing
        • Boost your network’s resilience with our assessment that uncovers security gaps, so you can strengthen your defences against sophisticated cyber threats targeting your network

        • Web Penetration Testing
        • Fortify your web presence with our specialised web app penetration testing service, designed to uncover and address vulnerabilities, ensuring your website stands resilient against online threats

        • Mobile Penetration Testing
        • Strengthen your mobile ecosystem’s resilience with our in-depth penetration testing service. From applications to underlying systems, we meticulously probe for vulnerabilities

        • Cyber Hygiene Training
        • Empower your team with essential cybersecurity knowledge, covering the latest vulnerabilities, best practices, and proactive defence strategies

        • Thick Client Penetration Testing
        • Elevate your application’s security with our thorough thick client penetration testing service. From standalone desktop applications to complex client-server systems, we meticulously probe for vulnerabilities to fortify your software against potential cyber threats.

        • Source Code Review
        • Ensure the integrity and security of your codebase with our comprehensive service, meticulously analysing code quality, identifying vulnerabilities, and optimising performance for various types of applications, scripts, plugins, and more

        • Email Spoofing Prevention
        • Check if your organisation’s email is vulnerable to hackers and put a stop to it. Receive your free test today!

        • Email Phishing Excercise
        • Strengthen your defense against email threats via simulated attacks that test and educate your team on spotting malicious emails, reducing breach risks and boosting security.

        • Cyber Essentials Bundle
        • Equip your organisation with essential cyber protection through our packages, featuring quarterly breached accounts monitoring, email phishing campaigns, cyber hygiene training, and more. LAUNCHING SOON.

PyPI Removes ‘mitmproxy2’ Over Code Execution Concerns

PyPI Removes ‘mitmproxy2’ Over Code Execution Concerns

The PyPI repository has removed a Python package called ‘mitmproxy2’ that was an identical copy of the official “mitmproxy” library, but with an “artificially introduced” code execution vulnerability.

The official ‘mitmproxy’ Python library is a free and open-source interactive HTTPS proxy with over 40,000 weekly downloads.

Copycat package could trick devs into falling for ‘newer’ version

Yesterday, Maximilian Hils, who is one of the developers behind the ‘mitmproxy’ Python library drew everyone’s attention towards a counterfeit ‘mitmproxy2’ package uploaded to PyPI.

‘mitmproxy2’ is essentially “the same as regular mitmproxy but with an artificial RCE vulnerability included.”

The more popular you get, the more shit you attract: Someone uploaded “mitmproxy2” to @PyPI, which is the same as regular mitmproxy but with an artificial RCE vulnerability included.— Maximilian Hils (@maximilianhils) October 11, 2021

Hils’ main concern, as he describes to BleepingComputer, was that some software developers might mistake ‘mitmproxy2’ as a newer version” of ‘mitmproxy’ and inadvertently introduce insecure code in their apps.

Also Read: How Does Ransomware Work? Examples and Defense Tips

Hils found this copycat package in what he calls a “happy little accident” while looking into an unrelated PyPI warehouse issue.

mitmproxy2 pypi page
Now-removed ‘mitmproxy2’ PyPI package page (BleepingComputer)

On analyzing the differences between ‘mitmproxy2’ and his ‘mitmproxy,’ something important stood out. The former had all safeguards removed from the API:

“When you run mitmproxy’s web interface, we expose an HTTP API for that. If you remove all safeguards from that API, everyone on the same network can execute code on your machine with a single HTTP request,” Hils told BleepingComputer in an email interview.

'mitmproxy2' had API safeguards removed
‘mitmproxy2’ had API safeguards removed (BleepingComputer)

It isn’t clear either if the user who published the copycat ‘mitmproxy2’ package did so with willful malicious intent or just out of insecure coding practices. 

“To be clear, this really isn’t the most malicious thing an attacker could do. It would be much more straightforward to just add some malicious code that gets executed on install right away.”

“The problem is of course if you upload that to PyPI as ‘mitmproxy2’ with a version number that indicates it’s newer/a successor, people will inevitably download that not knowing about the changes.”

Hils thanked PyPI volunteers for swiftly reacting to this report. Within four hours of Hils’ tweet ‘mitmproxy2’ was taken down.

Also Read: How to Choose a Penetration Testing Vendor

Whack-a-mole: another copycat appears hours later

While analyzing ‘mitmproxy2’, BleepingComputer discovered another package ‘mitmproxy-iframe‘ had appeared on the PyPI registry, less than a day after ‘mitmproxy2’ was removed.

Once again, this package is an exact replica of the official mitmproxy, but with the aforementioned safeguards removed from the “” file, as seen by BleepingComputer.

Interestingly, mitmproxy-iframe is also published by the same user who is behind ‘mitmproxy2’, now casting doubts on what the user’s intentions are:

mitmproxy-iframe with same code execution vulnerability
Another package ‘mitmproxy-iframe’ appears with same code execution vulnerability (BleepingComputer)

Because anyone can publish packages to open-source ecosystems, security threats and attacks like malware injectiontyposquattingbrandjacking, and dependency confusion have increased rapidly in recent times.

Unless concrete validations are put in place by open-source registries, these “whack-a-mole” situations are bound to repeat themselves.

BleepingComputer notified PyPI of the ‘mitmproxy-iframe’ package prior to publishing and the package was taken down.



Subscribe to our mailing list to get free tips on Data Protection and Data Privacy updates weekly!

Personal Data Protection


We have assisted numerous companies to prepare proper and accurate reports to PDPC to minimise financial penalties.


Click one of our contacts below to chat on WhatsApp

× Chat with us