Malware Masquerading as Mcp on Pypi
Posted4 months ago
inspector.pypi.ioTechstory
skepticalnegative
Debate
20/100
MalwarePypiSecurity
Key topics
Malware
Pypi
Security
A PyPI package 'doordash-rest-client' was found to be masquerading as a legitimate client while containing malware.
Snapshot generated from the HN discussion
Discussion Activity
Light discussionFirst comment
N/A
Peak period
1
Start
Avg / period
1
Key moments
- 01Story posted
Sep 3, 2025 at 1:06 PM EDT
4 months ago
Step 01 - 02First comment
Sep 3, 2025 at 1:06 PM EDT
0s after posting
Step 02 - 03Peak activity
1 comments in Start
Hottest window of the conversation
Step 03 - 04Latest activity
Sep 3, 2025 at 1:06 PM EDT
4 months ago
Step 04
Generating AI Summary...
Analyzing up to 500 comments to identify key contributors and discussion patterns
ID: 45118150Type: storyLast synced: 11/17/2025, 10:09:25 PM
Want the full context?
Jump to the original sources
Read the primary article or dive into the live Hacker News thread when you're ready.
Starting with PyPi "Doordash Client": https://pypi.org/search/?q=doordash+client I was excited by 5 recently published packages. As I usually do, I checked them out via Github... buut, hit a deadlink
Quick inspection of the package clearly shows a random server handles all the requests made including your PII, address, credit card info -- 99% chance this is malware.
World's moving fast these days, and AI is making it easier for everyone - even the bad actors - to make what looks like polish OSS.
My typical workflow selecting packages is:
1. Check out their Github - social credit means a lot to me
2. Clone the repo, and ask `claude`, `cursor` or whichever agent I'm using at the time for a quick audit
3. If I'm putting my own credentials of a PAT in there, review it myself at the top level too
Stay safe folks!