Conda-Build Supply Chain Vulnerability via Missing Dependency in Pyproject.toml

A supply chain vulnerability has been identified in Conda-Build versions prior to 25.3.0. The issue arises because the Pyproject.toml file lists 'conda-index' as a dependency, but this package is not available on PyPI. This creates an opportunity for an attacker to upload malicious code to a package claiming the 'conda-index' namespace, which could then be injected into projects during the dependency resolution process. The vulnerability has been addressed in Conda-Build version 25.3.0, which removes 'conda-index' from the list of dependencies. Users can also work around the issue by using the '--no-deps' option when installing the project with pip.

Impact

Exploitation of this vulnerability allows for a supply chain attack, where malicious code can be injected into projects via a compromised dependency.

Reproduction

The vulnerability can be reproduced by creating a package that claims the 'conda-index' namespace on PyPI and uploading malicious code. Then, when a user installs a package that depends on 'conda-index' using pip, the malicious code will be executed.

Remediation

Users should upgrade to Conda-Build version 25.3.0 or later. Instructions for updating can be found in the Conda-Build documentation.