科技回声

7 条评论

nisegami超过 2 年前

Some thoughts:1. The blast radius appears to be very minimal, the affected github package has 0 stars, 2 contributers, 1 watcher and 4 issues total.2. The issue was caught and resolved quickly (within a day?).3. I haven't seen any explanation by the developer on whether there account was compromised?

评论 #33730519 未加载

IAmGraydon超过 2 年前

The author worked in Belarus for Wargaming.net until just before making this commit. Wargaming recently withdrew their operations from Belarus and Russia for obvious reasons, and the author appears to have lost his job with them as a result. Combined with the way he nonchalantly reversed the commit and I’m thinking the theory on r/netsec may not be so far fetched.

评论 #33731780 未加载

oefrha超过 2 年前

According to <a href="https://pypistats.org/packages/fastapi-toolkit" rel="nofollow">https://pypistats.org/packages/fastapi-toolkit</a>, this package had 158 downloads in total in the past month. This would include automated tools (e.g. this GuardDog mentioned in TFA) grabbing every single package version published.But of course they have to hype it up with "50k stars", "used by Microsoft, Uber, and Netflix" blah blah, otherwise it's a complete non-story.

评论 #33730884 未加载

d1l超过 2 年前

More FUD from attention seeking, for-profit organizations. Even a tiny bit of digging shows this is virtually a non-issue. Look at the gh repo, the pypi stats

denton-scratch超过 2 年前

> a package whose maintainer's account was likely compromised by a malicious actorThey don't say why they think it was an account compromise, rather than a malicious maintainer.

评论 #33730866 未加载

kjok超过 2 年前

Again some esoteric package that likely nobody uses. If you’re worried about such attacks, private registry mirrors can go a long way.

dlor超过 2 年前

The issue from the researchers appears to be here: <a href="https://github.com/timaakulich/fastapi_toolkit/issues/4" rel="nofollow">https://github.com/timaakulich/fastapi_toolkit/issues/4</a>This is definitely pretty strange. Account takeovers happen, but just reverting the commit and closing the issue after one gets discovered is not the best way to handle these.This is the reality of our modern software development process though. Your threat model now must include the GitHub account of every maintainer of every open source project you use.

评论 #33732303 未加载

评论 #33730717 未加载

评论 #33731751 未加载

评论 #33732070 未加载

评论 #33733040 未加载

7 条评论

nisegami超过 2 年前

评论 #33730519 未加载

IAmGraydon超过 2 年前

评论 #33731780 未加载

oefrha超过 2 年前

评论 #33730884 未加载

d1l超过 2 年前

More FUD from attention seeking, for-profit organizations. Even a tiny bit of digging shows this is virtually a non-issue. Look at the gh repo, the pypi stats

denton-scratch超过 2 年前

> a package whose maintainer's account was likely compromised by a malicious actorThey don't say why they think it was an account compromise, rather than a malicious maintainer.

评论 #33730866 未加载

kjok超过 2 年前

Again some esoteric package that likely nobody uses. If you’re worried about such attacks, private registry mirrors can go a long way.

Investigating a backdoored PyPI package targeting FastAPI applications

7 条评论

Investigating a backdoored PyPI package targeting FastAPI applications

7 条评论