Hacker Newsnew | past | comments | ask | show | jobs | submitlogin

1. It is a vulnerability in a package registry, which google doesn't control.

2. It relies on tricking a developer into downloading a substituted package, which is indeed social engineering.

3. If google were suceptible to malicious code execution machinations of singular employees in China, Huawei would be google, not google.



> It relies on tricking a developer into downloading a substituted package, which is indeed social engineering.

I wouldn't call this social engineering. The attacker isn't actively trying to trick anyone of anything. They're just exploiting the fact that the Python package management tools make it really easy for a user to accidentally -- without any prompting or interference from the attacker -- pull packages from pypi.org rather than their internal private repository.


It might not be “trying to trick”, but it certainly is “trying to trap”. The outcome is the same, though, which is that an attacker actively tries to exploit a misconception of other people for their own (concealed) intents and purposes.




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: