Pas.plugins. C authomatic

flipmcf · March 17, 2023, 6:33pm

Browsing PyPi today.

ALL: This is the official maintained authomatic oAuth2 plugin:

But.... this came up in a search....

https pypi.org slash project slash pas.plugins.cauthomatic

Now, I'd hate to think there's a typosquatter out there trying to harvest credentials.... Probably an honest mistake, but could someone take a quick look at what this is?

Honestly, I would absolutely love to distract myself and spelunk both these plugins and discover a bad actor (or just boring mistakes) but I REALLY need to focus on my job. I'm sorry I'm bringing you guys work instead of solutions.

@jensens @ericof @thet @saily

mtrebron · March 17, 2023, 8:39pm

I notified the security team some time ago about a similar issue with
https://pypi.org/ project/ collective.saml2/ - it links to someone's project on Github, not to GitHub - collective/collective.saml2: Installation of SAML2 web single-sign-on for Plone (dm.zope.saml2)

jensens · March 20, 2023, 10:18am

Is there any process how to report abuse on PyPI? I am a bit lost on Help · PyPI and can not find an explicit process to follow.

davisagli · March 20, 2023, 3:52pm

@jensens Security · PyPI (Found link in the footer)

flipmcf · March 20, 2023, 4:08pm

Anyone spelunked or diffed it with 1.1.2 of the approved plugin?

Does it even matter?