n0xew

I agree the article isn’t super clear. Reading it twice, it seems that the user credentials are exfiltrated to the C2 server (only the screenshot implies it), which definitely would be malicious.

Also a possible interpretation could be that the package advertised “just” some automations (e.g. export playlists to m3u?) and getting music metadata, whereas it was actually downloading musics locally unbeknownst to the user. Then exfiltrating the music back to the C2 server, effectively using the package’s users to mass pirate musics without exposing the pirates directly. That would indeed be malicious, especially if the package did not advertise any content downloading.

But for the last paragraph I’m extrapolating on the few info this article gives without making much sense…

EDIT: from the original article here https://socket.dev/blog/malicious-pypi-package-exploits-deezer-api-for-coordinated-music-piracy it does not seem that the musics are downloaded on the user systems then extracted to the C2 server, but rather all that’s necessary to build the download urls, including tokens tied to the victims’ account.

I successfully did it about 2 years ago, following the instructions from this repo (last commit 2 years ago though…) https://github.com/MMMZZZZ/Jellyfin-Migrator

We have the same principle in French with (so learning Ihr in German was easier!), but frankly this is a reason why I prefer working in an english professional setting. Some people, generally older, get offended if you ever use the ‘du’ with them. But some others will want to look shill/younger and will get offended or mock you if you use ‘du’ with them. So yeah, using “you” to talk to the queen, my boomer customer or my nephew makes it so much easier!

You can have a look at hugo, with some simple theme like hugo-book

Looks nice, I’ll give it a try! There’s also a Jellyfin community, don’t hesitate to crosspost there :)