It’s not hard to do. What would be hard would be getting it through code review. Like the example provided… how would that ever get through code review for a merge? Must not be a well-protected code base?
Publish your own package to PyPI that on import does some evil stuff. Name the package something similar to a known, but not too well known package. Supply chain attacks are even less defended against than other stuff.
All this relies on companies being shit though, but well, we all know that’s the case in a lot of places.
It’s not hard to do. What would be hard would be getting it through code review. Like the example provided… how would that ever get through code review for a merge? Must not be a well-protected code base?
Publish your own package to PyPI that on import does some evil stuff. Name the package something similar to a known, but not too well known package. Supply chain attacks are even less defended against than other stuff.
All this relies on companies being shit though, but well, we all know that’s the case in a lot of places.