17

PyTorch.

2018: uh, what happens when someone uses a same name attack? - No big deal. https://github.com/pypa/pip/...
2020: I think that's a security issue. - Nanana, it's not. https://github.com/pypa/pip/...
2022: malicious package extracts sensitive user data on nightly. https://bleepingcomputer.com/news/...

You had years to react, you clowns.

Comments
  • 3
    Clowns indeed
  • 4
    Clown/Clownself
  • 5
    TBF, Paul Moore pointed out from the beginning that you shouldn't trust stuff from PyPI to not be malware in the first place. But regardless, you should always be able to choose which piece of malware you want to install on your machine.
  • 5
    @electrineer PyPi seems to always enjoy priority over private repos of the same name, that's what enabled this attack.

    That begs the question - if they are aware of the consequences, then why do they prioritise a server that they themselves regard as malware host? Just for screwing people?
  • 4
    @Fast-Nop The whole Python ecosystem is built on a single person's self-importance, and a community of people jerking him off. What else would you expect?
  • 0
Add Comment