Hackers can use python's pip to steal your data!
Get 10,000 free mins to build mobile and web app: https://bit.ly/3uuotSV
Learn more about ZEGOCLOUD API & SDK: https://bit.ly/3Fy5HAm
How to build iOS, Android and Web app: https://bit.ly/3hf7xfX
Take my SQL Injection for Beginners course for FREE: https://teja.link/sqli-for-beginners
Installing external python packages with pip can be dangerous because threat actors can easily create malicious packages that contain malicious code in the setup.py script. Since pip gives arbitrary code execution when installing a package on the end user's computer, hackers can take advantage of this to do something malicious like stealing API keys, SSH keys, passwords, etc.
The setup.py script is required to be executed in order to build a wheel file from the source distribution.
So a simple and innocent command like "pip install [package-name]" can be very dangerous to you and your organization.
Read my blog post to learn more: https://bit.ly/3caln0u
DISCLAIMER
This video and the blog post are produced only for educational purposes and to bring awareness to users about potential risks they face while installing external libraries with pip and how to stay safe from the same. I do not promote or encourage any illegal activities.
In order to stay safe from malicious python packages, follow these simple rules:
Make sure you cross-check the GitHub repo linked to a PyPI package's page and verify it is what it claims it is.
If you are installing a random package from Python Package Index that you have never heard about before, use the "--only-binary :all:" flag with pip that tells pip to only install from binary (wheel) files. This prevents code execution when the package is being installed.
Take some time to go through the actual source code of the package before installing it just to make sure it contains nothing malicious.
Check out my AWS Playlist: https://www.youtube.com/watch?v=hlQH9...
Thanks for watching!
SUBSCRIBE for more videos!
Join my Discord: / discord
Follow me on Instagram: / teja.techraj
Website: https://techraj156.com
Blog: https://blog.techraj156.com
