query-profile
Advanced tools
DEPENDENCY CONFUSION POC v0.0.3 — PoC with Burp Collaborator callback. Claimed by L0bo to demonstrate attack surface in Apple's ml-health-query-profiles.
⚠️ DEPENDENCY CONFUSION PROOF OF CONCEPT ⚠️
This package name (query-profile) was identified as unclaimed on PyPI while being directly referenced in Apple's official open-source repository:
pip install query-profile, but Apple never published this package to PyPI.This package is a harmless proof of concept — it does nothing except demonstrate that the package name was unclaimed and could be registered by an attacker. In a real attack, a malicious package under this name could:
This package was published for responsible disclosure purposes only. No malicious code is included.
FAQs
DEPENDENCY CONFUSION POC v0.0.3 — PoC with Burp Collaborator callback. Claimed by L0bo to demonstrate attack surface in Apple's ml-health-query-profiles.
We found that query-profile demonstrated a healthy version release cadence and project activity because the last version was released less than a year ago. It has 1 open source maintainer collaborating on the project.
Did you know?
Socket for GitHub automatically highlights issues in each pull request and monitors the health of all your open source dependencies. Discover the contents of your packages and block harmful activity before you install or update your dependencies.
Security News
GitHub Actions checkout now blocks risky pull_request_target checkouts by default to help prevent pwn request supply chain attacks.
Product
Socket now supports Custom Roles and Repository Access Permissions so organizations can control who can access specific repositories and actions.
Product
Socket MCP now lets AI assistants review org alerts, investigate threats using the Socket threat feed, and inspect package files in addition to dependency scoring.