Ranter
Join devRant
Do all the things like
++ or -- rants, post your own rants, comment on others' rants and build your customized dev avatar
Sign Up
Pipeless API
From the creators of devRant, Pipeless lets you power real-time personalized recommendations and activity feeds using a simple API
Learn More
Comments
-
TBF, Paul Moore pointed out from the beginning that you shouldn't trust stuff from PyPI to not be malware in the first place. But regardless, you should always be able to choose which piece of malware you want to install on your machine.
-
@electrineer PyPi seems to always enjoy priority over private repos of the same name, that's what enabled this attack.
That begs the question - if they are aware of the consequences, then why do they prioritise a server that they themselves regard as malware host? Just for screwing people? -
hitko31452y@Fast-Nop The whole Python ecosystem is built on a single person's self-importance, and a community of people jerking him off. What else would you expect?
PyTorch.
2018: uh, what happens when someone uses a same name attack? - No big deal. https://github.com/pypa/pip/...
2020: I think that's a security issue. - Nanana, it's not. https://github.com/pypa/pip/...
2022: malicious package extracts sensitive user data on nightly. https://bleepingcomputer.com/news/...
You had years to react, you clowns.
random
dependency chain attack