I agree the article isn't super clear. Reading it twice, it seems that the user credentials are exfiltrated to the C2 server (only the screenshot implies it), which definitely would be malicious.
Also a possible interpretation could be that the package advertised "just" some automations (e.g. export playlists to m3u?) and getting music metadata, whereas it was actually downloading musics locally unbeknownst to the user. Then exfiltrating the music back to the C2 server, effectively using the package's users to mass pirate musics without exposing the pirates directly. That would indeed be malicious, especially if the package did not advertise any content downloading.
But for the last paragraph I'm extrapolating on the few info this article gives without making much sense..
Basically I've been using Jellyfin for some years for streaming. Once I got the steam deck, I thought it'd be awesome to use it for offline viewing of Jellyfin content when I'm too tired to focus on a game, on long trakn rides!
So I looked for Jellyfin desktop clients, found one that I liked with offline downloads, namely Fladder. The install process for the Steam Deck wasn't straightforward, so I learnt Flatpak packaging and submitted a PR to the GitHub project, which was well received. I can now watch my TV shows on the train when I don't feel like playing!
the SHIFT key(create 5 units instead of 1 when hold)
activator for a different action group, where the joystick are mapped to a circular menu. E.g. one of these menu assigns units to one of the 6 quick groups in my circular menu, and I can then select these units with just the right joystick (no button pressed). Another one activates a right joystick circular menu to go to a building (and I did map nearly all building types..)
I can also combine these, to e.g. select all barracks
We have the same principle in French with (so learning Ihr in German was easier!), but frankly this is a reason why I prefer working in an english professional setting. Some people, generally older, get offended if you ever use the 'du' with them. But some others will want to look shill/younger and will get offended or mock you if you use 'du' with them.
So yeah, using "you" to talk to the queen, my boomer customer or my nephew makes it so much easier!
Thanks for sharing! I've been using guvcview for a long time to control exposure and focus on my good old Logitech C920, but adding a ppa just for that seemed a bit too much. I will definitely have a look at it!
Not sure if it fits the bill, but it is categorized as a soulslike: Death Door. It's an indie game, chill and cute atmosphere, still challenging but not too punishing. I haven't played much soulslike before but I started this one on Steam Deck and I'm really digging it!
Regarding security: a quick browsing in the project's issues, filtering by area:security did not show any flaws being reported since the last release. But there may have been undisclosed vulnerabilities the project's dev are working on fixing for the next version. My personal non-professional non-legally-binding opinion is that it looks fine, so I do keep it running on my server.
The original dev has gone silent indeed, but a team of volunteers resumed development recently. So I wouldn't call it outdated, but we'll see if they'll keep up the good work for long.
I've been using it for more than a year to automate a few stuff, it's been good for this purpose so yeah I would recommend it :)
I agree the article isn't super clear. Reading it twice, it seems that the user credentials are exfiltrated to the C2 server (only the screenshot implies it), which definitely would be malicious.
Also a possible interpretation could be that the package advertised "just" some automations (e.g. export playlists to m3u?) and getting music metadata, whereas it was actually downloading musics locally unbeknownst to the user. Then exfiltrating the music back to the C2 server, effectively using the package's users to mass pirate musics without exposing the pirates directly. That would indeed be malicious, especially if the package did not advertise any content downloading.
But for the last paragraph I'm extrapolating on the few info this article gives without making much sense..
EDIT: from the original article here https://socket.dev/blog/malicious-pypi-package-exploits-deezer-api-for-coordinated-music-piracy it does not seem that the musics are downloaded on the user systems then extracted to the C2 server, but rather all that's necessary to build the download urls, including tokens tied to the victims' account.