always coming home is a user on cybre.space. You can follow them or interact with them if you have an account anywhere in the fediverse.
always coming home @nightpool

holy shit.

reddit.com/r/Python/comments/8
twitter.com/x0rz/status/994116

"The ssh-decorator package from Python pip had an obvious backdoor"

sends host + username + password to an external website

· Web · 116 · 53
Soni L. @SoniEx2

@nightpool now imagine if it were proprietary.

always coming home @nightpool

@SoniEx2 most people don't use proprietary libraries

AVAILABLE FOR LEGAL REASONS @benhamill

@nightpool Jesus Percival Wolfric Brian Christ!!!

the steve-52's @rook@hulvr.com

@nightpool that's not just a backdoor, that's blatant exfiltration. (Over HTTP, which is a crime of its own.)

🍻 alfajet 🇫🇷 🇬🇧 @alfajet@mastodon.xyz

@nightpool
whois.com/whois/ssh-decorate.c

always coming home @nightpool

@alfajet which is completely pointless, given that dot cf never provides any personal details........

Sean R. Lynch ☑️ @seanl@literati.org

@nightpool Chapter four billion, seven hundred thirty-eight thousand, nine hundred twenty-four in why you shouldn't blindly install stuff from a package system anyone can upload to.

Sean R. Lynch ☑️ @seanl@literati.org

@nightpool Or even with your eyes open, since at any time a package could change hands.

Dr. Equivalent the Incredible @drequivalent@mastodonsocial.ru

@nightpool wow what the fuck

mx. fluffy @fluffy@queer.party

@nightpool @codl holy shit IN PLAINTEXT even what the jesus everfucking shit

Austin Dern @Austin_Dern@mastodon.social

@fluffy @nightpool @codl And if it weren't bad enough: logging it as 'passowrd'.

mx. fluffy @fluffy@queer.party

@Austin_Dern @nightpool @codl I can actually see them having done that on purpose to fool automated warning/checker things. It’s an anti pattern I saw a few times at Amazon internally to escape a code auditor process.

Austin Dern @Austin_Dern@mastodon.social

@fluffy @nightpool @codl Surely is to sneak past automated checking, yes. It's the laziness that gets me. If they titled like, 'networkSuccess' or 'connectStatus' or even 'misc1' then you'd have something too boring to pay attention to if you caught it being passed on your network.

rrix 🍕🌎 @rrix

@nightpool lol.

~sanlyx @sanlyx@pleroma.soykaf.com
@nightpool
~sanlyx @sanlyx@pleroma.soykaf.com
@nightpool which also reminds me that each npm package I install, each shady library I git clone and build is executing arbitrary code in my self-signed-certificate-secure-boot-and-full-disk-encryption-TPM-enabled-machine

paranoid mode (re)activated, I'll probably be installing "CleanMyPC" in like four days or so
Rain 🚱 @grainloom

@nightpool they could have at least obfuscated it or something

meejah @meejah@mastodon.social

@nightpool It's almost like that practice of basically forcing people to put plaintext passwords in ~/.pypirc and never checking signagures wasn't the best idea :/

🦄 jоsнυα 🌈 @DC7IA@chaos.social

@nightpool @andreas 1234'); DROP TABLE passwords;--

and done..?

Andreas DC6AP (JO43) 📻 💻🤓🏕 @andreas@mastodon.aventer.biz

@DC7IA @nightpool könnte Funktionieren 😃

Aarkon @Aarkon@metalhead.club

@nightpool So Twitter uses a Python backend? 😂

cybre.space powered by Mastodon