Hackers can use python's pip to steal your data!

Take my SQL Injection for Beginners course for FREE: https://bit.ly/3MTMQ2Q

Installing external python packages with pip can be dangerous because threat actors can easily create malicious packages that contain malicious code in the setup.py script. Since pip gives arbitrary code execution when installing a package on the end user's computer, hackers can take advantage of this to do something malicious like stealing API keys, SSH keys, passwords, etc.

The setup.py script is required to be executed in order to build a wheel file from the source distribution. So a simple and innocent command like "pip install [package-name]" can be very dangerous to you and your organization.

Read my blog post to learn more: https://bit.ly/3caln0u

DISCLAIMER This video and the blog post are produced only for educational purposes and to bring awareness to users about potential risks they face while installing external libraries with pip and how to stay safe from the same. I do not promote or encourage any illegal activities.

In order to stay safe from malicious python packages, follow these simple rules:

• Make sure you cross-check the GitHub repo linked to a PyPI package's page and verify it is what it claims it is.
• If you are installing a random package from Python Package Index that you have never heard about before, use the "--only-binary :all:" flag with pip that tells pip to only install from binary (wheel) files. This prevents code execution when the package is being installed.
• Take some time to go through the actual source code of the package before installing it just to make sure it contains nothing malicious.

Check out my AWS Playlist: https://www.youtube.com/watch?v=hlQH9...

Thanks for watching! SUBSCRIBE for more videos!

Join my Discord: https://discord.gg/6TjBzgt Follow me on Instagram: https://instagram.com/teja.techraj Website: https://techraj156.com​​​​​ Blog: https://blog.techraj156.com ... https://www.youtube.com/watch?v=qTI2GwPysE4