[Distutils] Malicious packages on PyPI
Thomas Kluyver
thomas at kluyver.me.uk
Thu Jun 1 13:18:48 EDT 2017
Are we aware of this?
http://evilpackage.fatezero.org/
I recall there were a couple of these before which were taken down, but
someone appears to have made a cookiecutter template so you can very
easily claim names on PyPI, and anyone who installs that package will
submit their information to that site. A couple that are up at the
moment:
https://pypi.python.org/pypi/requirements-txt/1.1.1
https://pypi.python.org/pypi/ztz/0.1.1
Do we delete them? Do we try to detect similar packages being uploaded
and block them? I suspect it's a waste of time to try to prevent this in
general, but maybe it's worth protecting likely names that people might
'pip install' by mistake, such as requirements-txt.
Thomas
More information about the Distutils-SIG
mailing list