[nisegami]

Some thoughts:

1. The blast radius appears to be very minimal, the affected github package has 0 stars, 2 contributers, 1 watcher and 4 issues total.

2. The issue was caught and resolved quickly (within a day?).

3. I haven't seen any explanation by the developer on whether there account was compromised?

[agolio]

Fully agree, worth re-iterating as the title doesn't make it clear.

The vulnerability is not in FastAPI itself, but in a relatively unknown utility package that you probably aren't using.

Still good to raise awareness but a slight bit of scaremongering

[christophetd]

Hello! One of the authors of the post here. Just added a sentence in the introduction to make it crystal clear:

> While FastAPI itself is not impacted, this is an interesting occurrence of an attacker attempting to deploy a FastAPI-specific backdoor.

Appreciate your feedback!

[flutas]

FYI: You left a name and email in the github history.

I know they are public via GH, but it feels weird to redact every piece of PII including avatar, then leaving a name and email in there.

[christophetd]

Thanks for the heads-up, the goal was mostly avoiding that typing the author's name in Google brings up this post. I'll have it blurred for the sake of consistency, though.

[capableweb]

> Still good to raise awareness but a slight bit of scaremongering

It's not scaremongering as much as it is a (thinly veiled) ad for Datadog's own tech:

> using our latest open source tool, GuardDog, which uses heuristics to identify malicious or compromised PyPI packages.

> We recently released GuardDog, a free and open-source tool to identify malicious PyPI packages

> Datadog ASM Vulnerability Monitoring, announced earlier this year at Dash, allows you to identify vulnerable and malicious packages

> Datadog Cloud Workload Security has a number of out-of-the-box rules to detect post exploitation scenarios