Looks like we discovered it at essentially the same time, and in essentially the same way. If the pth file didn't trigger a fork-bomb like behavior, this might have stayed undiscoverd for quite a bit longer.
Good thinking on asking Claude to walk you through on who to contact. I had no idea how to contact anyone related to PyPI, so I started by shooting an email to the maintainers and posting it on Hacker News.
While I'm not part of the security community, I think everyone who finds something like this, should be able to report it. There is no point in gatekeeping the reporting of serious security vulnerabilities.
> If you've identified a security issue with a project hosted on PyPI
Login to your PyPI account, then visit the project's page on PyPI. At the bottom of the sidebar, click Report project as malware.
The existing account to report is an unfortunate obstacle. Presumably not a huge deal if you were auditing code for vulnerabilities, but still an annoyance.
The threat actor was sophisticated enough to spam GitHub issues with dozens of different accounts. I imagine they could completely overwhelm PyPI with unauthenticated reports.
The best part was that I didn't even mean to ask Claude who to contact! I was still in disbelief that I was one of the first people affected, so I asked for existing reports on the assumption that if it was real I definitely wasn't the first.
The fork-bomb part still seems really weird to me. A pretty sophisticated payload, caught by missing a single `-S` flag in the subprocess call.
It actually wasn't. That was one of the reasons why I looked into what was changed. Even 1.82.6 is only at an RC release on github since just before the incident.
So the fact that 1.82.7 and then 1.82.8 were released within an hour of each other was highly suspicious.
The main reason is just how hard it is to actually create anything that integrates with Teams. You have to jump through so meany hoops, wade through so many deprecated APIs, guess through so many half-way-wrong-by-now documentation pages.
After building a proof of concept, we decided that we will only continue Teams integration if anyone is going to pay serious money for it.
In the past I've been trying to adopt the stoic mindset, but always struggled. But I continued to read and learn about it.
Unrelatedly, I came across a recomendation for David Burns "Feeling Good" here on hackernews a couple of years ago.
Reading it with my interest in stoicism in mind, I honestly found it to be probably the best modern day handbook to actually adopting the stoic mindset - without ever mentioning it.
As far as I understand stoicism, it is all about seeing things as they are, and understanding that the only thing that we really control is our reaction / interpretation of events. And the CBT approach that is explained in Feeling Good/Feeling Great is exactly how you do this.
With this perspective Marcus Aurelius Meditations suddenly make a lot more sense. They are his therapy homework.
If anyone Googles it and is wondering about Feeling Good (1999) and Feeling Great (2020) by the same author, it seems like Feeling Great is just an updated version of the original book, based on more experience and new insights. Here's the author discussing the difference:
Good thinking on asking Claude to walk you through on who to contact. I had no idea how to contact anyone related to PyPI, so I started by shooting an email to the maintainers and posting it on Hacker News.
While I'm not part of the security community, I think everyone who finds something like this, should be able to report it. There is no point in gatekeeping the reporting of serious security vulnerabilities.
reply