| ▲ | dot_treo 4 hours ago | ||||||||||||||||
Looks like we discovered it at essentially the same time, and in essentially the same way. If the pth file didn't trigger a fork-bomb like behavior, this might have stayed undiscoverd for quite a bit longer. Good thinking on asking Claude to walk you through on who to contact. I had no idea how to contact anyone related to PyPI, so I started by shooting an email to the maintainers and posting it on Hacker News. While I'm not part of the security community, I think everyone who finds something like this, should be able to report it. There is no point in gatekeeping the reporting of serious security vulnerabilities. | |||||||||||||||||
| ▲ | notatallshaw 4 hours ago | parent | next [-] | ||||||||||||||||
> I had no idea how to contact anyone related to PyPI > If you've identified a security issue with a project hosted on PyPI Login to your PyPI account, then visit the project's page on PyPI. At the bottom of the sidebar, click Report project as malware. | |||||||||||||||||
| |||||||||||||||||
| ▲ | Fibonar 4 hours ago | parent | prev | next [-] | ||||||||||||||||
The best part was that I didn't even mean to ask Claude who to contact! I was still in disbelief that I was one of the first people affected, so I asked for existing reports on the assumption that if it was real I definitely wasn't the first. The fork-bomb part still seems really weird to me. A pretty sophisticated payload, caught by missing a single `-S` flag in the subprocess call. | |||||||||||||||||
| ▲ | 4 hours ago | parent | prev [-] | ||||||||||||||||
| [deleted] | |||||||||||||||||