drspod

joined 2 years ago
sorted by: new top controversial old
Magical equation unites quantum physics, general relativity in a first in c/[email protected]
[–] [email protected] 3 points 25 minutes ago

If it was plausible this would be bigger news. There's a claim like this every couple of months and none have held up to scrutiny so far.

34
[python] Revival Hijack supply-chain attack threatens 22,000 PyPI packages (www.bleepingcomputer.com)
submitted 3 days ago* (last edited 3 days ago) by [email protected] to c/[email protected]
1 comments fedilink
 

Threat actors are utilizing an attack called "Revival Hijack," where they register new PyPi projects using the names of previously deleted packages to conduct supply chain attacks.

The technique "could be used to hijack 22K existing PyPI packages and subsequently lead to hundreds of thousands of malicious package downloads," the researchers say.

If you ever install python software or libraries using pip install then you need to be aware of this. Since PyPI is allowing re-use of project names when a project is deleted, any python project that isn't being actively maintained could potentially have fallen victim to this issue, if it happened to depend on a package that was later deleted by its author.

This means installing legacy python code is no longer safe. You will need to check every single dependency manually to verify that it is safe.

Hopefully, actively maintained projects will notice if this happens to them, but it still isn't guaranteed. This makes me feel very uneasy installing software from PyPI, and it's not the first time this repository has been used for distributing malicious packages.

It feels completely insane to me that a software repository would allow re-use of names of deleted projects - there is so much that can go wrong with this, and very little reason to justify allowing it.

Firefox 130.0 Release Notes in c/[email protected]
[–] [email protected] 20 points 4 days ago (1 children)

I love that the local translation feature is getting regular small updates to make it more useable. It's a great feature.

We’ve Got Depression All Wrong. It’s Trying to Save Us. in c/[email protected]
[–] [email protected] 27 points 4 days ago (3 children)

Porges believes

This is an interesting article and yet you've chosen to quote the most speculative unscientific part of it from the final paragraph.

"Have you tried going outside" is not a scientific cure for depression.

Linux smashes another market share record for August 2024 on Statcounter in c/[email protected]
any django programmer here ??? help please in c/[email protected]
[–] [email protected] 5 points 6 days ago (1 children)

Note to readers: Don't install python dependencies for random python projects of unknown provenance. PyPI is regularly being used as a vector for distributing malware. See recent news stories here: https://www.bleepingcomputer.com/tag/pypi/

You should manually check every package listed in requirements.txt and verify that it is a trustworthy python library.

Starmer inspires the public with message that things can never get better in c/[email protected]
[–] [email protected] 0 points 6 days ago

Sorry but your satire isn't funny enough for me to continue reading when the page gets gradually darker as I scroll down so that it can show me a popup asking me to subscribe to your newsletter or whatever the fuck.

Spotify Is Filling Up With AI-Generated Music to Scam Revenue From Real Bands in c/[email protected]
[–] [email protected] 0 points 6 days ago

AI is definitely capable of making great music right now.

Got any links?

Sounds dope rule in c/[email protected]
Brainf... in c/[email protected]
Phone UI Always Crashes in the Same Store in c/[email protected]
[–] [email protected] 7 points 1 week ago (1 children)
  • Does your phone automatically join open wifi networks?
  • Do you have worse cell signal than usual in this store?
End of the Road: An AnandTech Farewell in c/[email protected]
[–] [email protected] 0 points 1 week ago

But website ads don’t get the ad money like YouTube.

Their website doesn't even have ads

EmuDeck coder pivots to hardware with Linux-based “EmuDeck Machines” in c/[email protected]
[–] [email protected] 3 points 1 week ago

You can see the planned specs for the two different models on their indiegogo page: https://www.indiegogo.com/projects/emudeck-machines-retro-emulation-console-pc#/

I'm guessing they have a pre-selected all-in-one board (designed for mobile devices) and they're just designing a chassis around it. There's still a lot that could go wrong, but it's a bit more achievable than actually designing, testing and assembling your own board.

360
have you ever had a rule (lemmy.ml)
 
1
Vladimir Kramnik admits to VIOLATING Fair Play Policy (www.youtube.com)
 

Description: "Featured is a playthrough of a blitz chess game between Rodrigo Vasquez and Vladimir Kramnik from an Early Titled Tuesday event which was held on October 17th, 2023. Kramnik recently admitted, via a YouTube comment on this topic of fair play surrounding him, that he played several tournaments under someone else’s chess.com account. This act violates chess.com’s Fair Play Policy. Kramnik played under Denis Khismatullin’s account, “Krakozia”. I share reasons why this is a violation of fair play policy, how a player can be negatively impacted because of it, and provide Kramnik’s YouTube comments where he attempts to explain it all."

2
Free Download Manager site redirected Linux users to malware for years (www.bleepingcomputer.com)
 

A reported Free Download Manager supply chain attack redirected Linux users to a malicious Debian package repository that installed information-stealing malware.

The malware used in this campaign establishes a reverse shell to a C2 server and installs a Bash stealer that collects user data and account credentials.

Kaspersky discovered the potential supply chain compromise case while investigating suspicious domains, finding that the campaign has been underway for over three years.

view more: next ›