[Distutils] Malicious packages on PyPI

Thomas Kluyver thomas at kluyver.me.uk
Thu Jun 1 13:18:48 EDT 2017


Are we aware of this?
http://evilpackage.fatezero.org/

I recall there were a couple of these before which were taken down, but
someone appears to have made a cookiecutter template so you can very
easily claim names on PyPI, and anyone who installs that package will
submit their information to that site. A couple that are up at the
moment:

https://pypi.python.org/pypi/requirements-txt/1.1.1
https://pypi.python.org/pypi/ztz/0.1.1

Do we delete them? Do we try to detect similar packages being uploaded
and block them? I suspect it's a waste of time to try to prevent this in
general, but maybe it's worth protecting likely names that people might
'pip install' by mistake, such as requirements-txt.

Thomas


More information about the Distutils-SIG mailing list