Publish your own package to PyPI that on import does some evil stuff. Name the package something similar to a known, but not too well known package. Supply chain attacks are even less defended against than other stuff.
All this relies on companies being shit though, but well, we all know that’s the case in a lot of places.
Yea… pipeline and dependency auditing isn’t trivial if you want to catch the subtle stuff. Even most of the devs that know how to do it are going to respond with, “above my pay grade…” unless they’re somehow actually getting paid enough to be arsed to do it correctly…
Publish your own package to PyPI that on import does some evil stuff. Name the package something similar to a known, but not too well known package. Supply chain attacks are even less defended against than other stuff.
All this relies on companies being shit though, but well, we all know that’s the case in a lot of places.
Yea… pipeline and dependency auditing isn’t trivial if you want to catch the subtle stuff. Even most of the devs that know how to do it are going to respond with, “above my pay grade…” unless they’re somehow actually getting paid enough to be arsed to do it correctly…