Learn More
Resend Email
17
Fast-Nop
2y

PyTorch.

2018: uh, what happens when someone uses a same name attack? - No big deal. https://github.com/pypa/pip/...
2020: I think that's a security issue. - Nanana, it's not. https://github.com/pypa/pip/...
2022: malicious package extracts sensitive user data on nightly. https://bleepingcomputer.com/news/...

You had years to react, you clowns.

random

dependency chain attack
Favorite
Ranter
Comments
  • 3
    2y
    Clowns indeed
  • 4
    2y
    Clown/Clownself
  • 5
    2y
    TBF, Paul Moore pointed out from the beginning that you shouldn't trust stuff from PyPI to not be malware in the first place. But regardless, you should always be able to choose which piece of malware you want to install on your machine.
  • 5
    2y
    @electrineer PyPi seems to always enjoy priority over private repos of the same name, that's what enabled this attack.

    That begs the question - if they are aware of the consequences, then why do they prioritise a server that they themselves regard as malware host? Just for screwing people?
  • 4
    2y
    @Fast-Nop The whole Python ecosystem is built on a single person's self-importance, and a community of people jerking him off. What else would you expect?
  • 0
    2y
    @hitko https://youtu.be/Ex1JuIN0eaA
    Sounds like that
devRant © 2021 Hexical Labs LLC
Privacy Policy  |  Terms of Service
Add Comment