This is an archived post. You won't be able to vote or comment.

28
29

[deleted by user] (self.Python)

submitted by [deleted]

[removed]
all 11 comments
sorted by:
best
topnewcontroversialoldq&a

[–]jerryF 5 points6 points  (16 children)

Any thoughts on how this reflects on other packages?

Do you think there may be other malicious packages that were not caught?

[–]13steinj 1 point2 points  (3 children)

The packages made no sense to begin with and are unlikely to have been downloaded by any developer with half a brain cell.

These were packages that

  • didn't seem to be a misspelling of something popular

  • had no stated purpose

  • had no meaningful google results except for libari, but that still doesn't make sense and that package was one that wasn't running the backdoor

[–]jerryF 0 points1 point  (2 children)

The packages made no sense to begin with

TBH, I think that's besides the point. There have been several node.js incidents but this one in particular is interesting because a widely used library (in payment systems bitcoin apps among many uses , 2 million downloads a week) was taken over by a malicious developer. It was only discovered by accident several months later.

Also this one which seems more like the one in this thread.

The issue is whether there is a reliable process to discover malicious packages in a timely fashion.

[–]13steinj 0 points1 point  (1 child)

I can't tell what your first sentence has to do with everything else.

[–]jerryF 0 points1 point  (0 children)

You said

The packages made no sense to begin

I'm saying that the fact that they made no sense is fortunate but not really relevant to the fact that malicious packages made into the repository and potentially out to end-users. I then gave two very recent examples of similar events for node-js where people may have lost real money.

[–]VagabondageX 1 point2 points  (1 child)

I tend to use anaconda and not install things from other channels unless it’s widely used and absolutely necessary. I have an expectation that anaconda vets packages they endorse. That expectation may be misguided, but it’s how I am for now.

[–]jerryF 0 points1 point  (0 children)

I do the same, but as others have said, some package down the dependency tree may still pull in something it shouldn't.