holy shit.

"The ssh-decorator package from Python pip had an obvious backdoor"

sends host + username + password to an external website

@nightpool that's not just a backdoor, that's blatant exfiltration. (Over HTTP, which is a crime of its own.)

@alfajet which is completely pointless, given that dot cf never provides any personal details........

@nightpool Chapter four billion, seven hundred thirty-eight thousand, nine hundred twenty-four in why you shouldn't blindly install stuff from a package system anyone can upload to.

@nightpool Or even with your eyes open, since at any time a package could change hands.

@nightpool @codl holy shit IN PLAINTEXT even what the jesus everfucking shit

@Austin_Dern @nightpool @codl I can actually see them having done that on purpose to fool automated warning/checker things. It’s an anti pattern I saw a few times at Amazon internally to escape a code auditor process.

@fluffy @nightpool @codl Surely is to sneak past automated checking, yes. It's the laziness that gets me. If they titled like, 'networkSuccess' or 'connectStatus' or even 'misc1' then you'd have something too boring to pay attention to if you caught it being passed on your network.

@nightpool which also reminds me that each npm package I install, each shady library I git clone and build is executing arbitrary code in my self-signed-certificate-secure-boot-and-full-disk-encryption-TPM-enabled-machine

paranoid mode (re)activated, I'll probably be installing "CleanMyPC" in like four days or so

@nightpool they could have at least obfuscated it or something

@nightpool It's almost like that practice of basically forcing people to put plaintext passwords in ~/.pypirc and never checking signagures wasn't the best idea :/

Sign in to participate in the conversation

cybrespace: the social hub of the information superhighway

jack in to the mastodon fediverse today and surf the dataflow through our cybrepunk, slightly glitchy web portal