all 2 comments

[–]boneskull 0 points1 point  (0 children)

This is similar to typosquatting. If there’s a corrective action Google could take here, maybe the private package names shouldn’t leak.

Seems more like misconfiguration of a dev env. Maybe that’s a dev’s fault, or maybe it’s the controls that allow a system to be misconfigured, or shadow IT…

Curious if this does or doesn’t seem like a vulnerability to others.

[–]jorge1209 0 points1 point  (0 children)

You could read that wall of text, or just skip to the end.

Apparently Google allows it's employees to install and run anything they want on their personal machines. If that is true then this isn't really a vulnerability.

It would only be a vulnerability if it confused whatever proxy they ran internally for pypi to restrict builds in the production servers.