This exercise teaches the dangers of abandoned dependencies. In it, the player will be guided through injecting malicious code into an abandoned package in order to steal information from developers who use that package.

There is a bitcoin stealer present in one of the repositories downloaded onto this project. Your goal is to identify which of the repositories is suspicious and then identify the bitcoin stealer. You find a flag by interacting with these files which you must provide to the system

Many people use Python's flask package as their website's backbone. Usually, this is accompanied with ways to access the database through environment variables. Compromise "pallets", a flask developer account, to inject malicious code into the public repository and steal people's environment variables.

Use dependency confusion to compromise a private package

A level based around the vulnerability in a frozen version of Security-Flask-Too which allows a 3rd party site to obtain the auth token of a user without being authenticated yourself.

The player hacks into the private repository server and compromises a package

The player finds the malicious code from the installed package in the system and investigates who injected the malicious code to that package.

Learn how to investigate a software supply chain, what is an sbom, how an SBOM can be generated, what a CVE is, finding a CVE, and how to perform a scan for CVEs

Use typosquatting to inject malicious code into a victim's application