You're spreading malwares on your requirements.txt

[DEMON1A]

Hey there, It seems like a commit made by @editor-syntax is actually spreading a malware affecting all of your users, @ https://github.com/top-gg/python-sdk/commit/ecb87731286d72c8b8172db9671f74bd42c6c534 your guy changed the requirements.txt content into links pointing into tar files hosted at pypihosted.org, This domain is owned by a hacker and it's being used to spread malwares, Please make sure to update requirements.txt and remove it's content before anyone else gets hacked, There's an info stealer injected into the packages you're using and anyone who used your sdk already got an info stealer on his system.

https://medium.com/@demonia/discovering-malwares-in-public-github-repositories-3e080f030ecc https://medium.com/@demonia/lets-dig-deep-into-pypihosted-malware-part-1-94ada4737442

[ffamilyfriendly]

We're working to get this malware removed

[Esmeray6]

What's getting in the way of downloading the PyPi package and uploading those files so that the latest commit doesn't contain the malware? Alternatively, re-creating the main branch sounds like an option.

[ffamilyfriendly]

@Esmeray6 I dont have git perms. Working with people who do have that tho. Will be handled shortly

[Hopefuls]

Why the fuck does someone random, unrelated to top.gg, have full master access to this repo????

[Hopefuls]

Suggestion:

• Require anyone to pr in order to merge to master
• several lgtm from contributors rather than one to commit.
• don't optimise something that doesn't require optimizing (why even support outdated versions that probably had CVEs?)

[DEMON1A]

Will any action be taken for @editor-syntax? Your guy seems to be a fan of other repos spreading the same malware

[DEMON1A]

If you ever got affected by the malware on top-gg, I wrote an article about how you can remove the malware from your system, Stay safe guys

https://medium.com/@demonia/detecting-and-removing-the-pypihosted-malware-bd44778cbc54

[Esmeray6]

Why the fuck does someone random, unrelated to top.gg, have full master access to this repo????

So far I have not received an answer to that question in other issues or heard back directly from any Top.gg employees on this matter.

[Esmeray6]

Suggestion:

• Require anyone to pr in order to merge to master
• several lgtm from contributors rather than one to commit.
• don't optimise something that doesn't require optimizing (why even support outdated versions that probably had CVEs?)

That would require having credible contributors in the first place. Throwback to the previous maintainers not getting any status updates on our PRs because no one felt like bothering with this repo and all of the attention seemed to be directed towards the JS SDK.

[Esmeray6]

Any explanation/clarification about this incident?

[Hopefuls]

Doubt we'll ever get any.

Probably the last time im using anything official libraries from Top.gg..

[Esmeray6]

Doubt we'll ever get any.

Probably the last time im using anything official libraries from Top.gg..

But my PyPi download statistics... sob.

[Esmeray6]

I wonder how long this issue will stay opened for.

[Hopefuls]

Probably another one that will stay open forever

[DEMON1A]

Since topgg already removed the malwares, Didn't provide an explanation though, let's just close this.

[Hopefuls]

Public information made on the discord server

Hi all,

At the start of this month, we've been made aware of a security issue involving a our python sdk. a contributor of the python-sdk has had their GitHub account compromised which led to malicious commits being pushed to the top-gg/python-sdk package. The issue was resolved within 24h after being made aware of the issue.

The issue has potentially impacted developers who installed the python-sdk directly from git (through pip3 install git+...) from Feb 19 until Mar 3, if you believe you've been at risk, we highly recommend you to enable 2FA on the all of your accounts and rotate your passwords right away.

Generally we believe the overall scope of the attack was minimal, the repository sees a low number of git clones (approx. 2 unique clones per day), though we are interested in collecting numbers and understanding more about how our SDK is being used, if you believe you've been exposed to this vulnerability, please reach out directly to me.

In response of this, we've made sure to add additional efforts to ensure that these kinds of issues will not repeat.

1. We've required 2-Factor Authentication for all contributors on our internal, volunteer, and community orgs.
2. We've required a minimal of one separate reviewer to approve of the commit before it is allowed to go through towards the main branch
3. We've split off the main top-gg org with a new community org to better communicate what is official releases from the internal team, and what is community maintained.

If you cloned the repository within the days of 19 Feb to 3 Mar, please ensure the git tree in your pyton-sdk does not contain the following commit ecb87731286d72c8b8172db9671f74bd42c6c534, as this is the commit that infects the package.

This kind of activity is far below the bar for what we strive for, and hope we've convinced you moving forward we will ensure this will not happen again.

Cheers, Veld

https://discord.com/channels/264445053596991498/285458046006591499/1221887798479683685

[Esmeray6]

Hm, pretty nice. Sorta back to a system we had to put up with, though. Unless someone this time truly feels like bothering.

[24rr]

Any explanation/clarification about this incident?

Hey! This is Buffer. My account was compromised, and I didn't realize it until someone brought up the issue. By then, it was too late—the hijacker had already published those commits. They were never published by me, and I was unaware of my GitHub account being compromised until this incident. I'm truly sorry for what happened. Regarding my departure from the Top.gg server, I felt pressured and uncertain about what to do. I was embarrassed, and I apologize to @null8626 for cutting you off. I was afraid you would be against me. I'm sorry for this late explanation; personal matters have kept me busy, which is why I didn't realize I had been hacked. I'm very grateful to those who helped me revert the commits. I've forgotten how to use the git command already. That's all, thank you.

[null8626]

It's okay ❤️❤️❤️

[Esmeray6]

Appreciate the explanation, Buffer. Shit happens.

[DEMON1A]

We need @editor-syntax back on topgg ngl, I can confirm his story is legit though I already know who did this, it's not his fault that his account got comprised this stuff happens all the time even in big companies, I seen this happen even in Uber

BUFFER FOR PRESIDENT

[null8626]

He has already stepped down.