#TIL when creating a python project, and using some==2.2.0 to "pin" your requirements isn't actually pinning them, as the package owner (or anyone with access) may upload version 2.2.0-1, 2.2.0-2, etc. which will match the "==2.2.0".
@fohrloop Huh. I did a quick experiment which suggests otherwise:
>>> from packaging.version import Version
>>> from packaging.specifiers import SpecifierSet
>>> s1 = SpecifierSet("==2.2.0")
>>> Version("2.2.0.post0") in s1
False
>>> Version("2.2.0.post1") in s1
False
>>> Version("2.2.0") in s1
True
(".post0" is the canonical way of writing "-0", and so on)
A malicious campaign that researchers observed growing more complex over the past half year, has been planting on open-source platforms hundreds of info-stealing packages that counted about 75,000 downloads.
I had #ChatGPT write a #Python script to scan my machines for the infected packages mentioned in this @BleepingComputer article. I've tested it on my work laptop and that is it. Please feel free to test it out and let me know if it works.