**always coming home** @nightpool@cybre.space · May 10, 2018, 19:41

**always coming home** @nightpool@cybre.space · May 10, 2018, 19:41

always coming home @nightpool@cybre.space

holy shit.

https://www.reddit.com/r/Python/comments/8hvzja/backdoor_in_sshdecorator_package/
https://twitter.com/x0rz/status/994116668086542336

"The ssh-decorator package from Python pip had an obvious backdoor"

sends host + username + password to an external website

**mx. fluffy** @fluffy@queer.party · May 10, 2018, 20:43

**mx. fluffy** @fluffy@queer.party · May 10, 2018, 20:43

@nightpool @codl holy shit IN PLAINTEXT even what the jesus everfucking shit

**Austin Dern** @Austin_Dern · 2018-05-10T22:10:13Z

Austin Dern @Austin_Dern

@fluffy @nightpool @codl And if it weren't bad enough: logging it as 'passowrd'.

May 10, 2018, 22:10 · Web · 0 · 1

**mx. fluffy** @fluffy@queer.party · May 10, 2018, 23:10

**mx. fluffy** @fluffy@queer.party · May 10, 2018, 23:10

@Austin_Dern @nightpool @codl I can actually see them having done that on purpose to fool automated warning/checker things. It’s an anti pattern I saw a few times at Amazon internally to escape a code auditor process.

**Austin Dern** @Austin_Dern · May 10, 2018, 23:59

**Austin Dern** @Austin_Dern · May 10, 2018, 23:59

@fluffy @nightpool @codl Surely is to sneak past automated checking, yes. It's the laziness that gets me. If they titled like, 'networkSuccess' or 'connectStatus' or even 'misc1' then you'd have something too boring to pay attention to if you caught it being passed on your network.