[Distutils] Malicious packages on PyPI

Xavier Fernandez xav.fernandez at gmail.com
Thu Jun 1 15:31:59 EDT 2017

This makes me remember
https://hackernoon.com/building-a-botnet-on-pypi-be1ad280b8d6 on a related

On Thu, Jun 1, 2017 at 7:40 PM, Thomas Kluyver <thomas at kluyver.me.uk> wrote:

> On Thu, Jun 1, 2017, at 06:32 PM, Matt Joyce wrote:
> It's basically a test dummy package that reports users who have ran that
> package template.
> That's what I thought, but all the code to do the upload seems to have
> been removed before s/he built those packages. Now it's just a harmless
> warning, unless I'm missing something.
> https://github.com/fate0/cookiecutter-evilpy-package/commit/
> a3ed1e1e060748b0444158ea3bc569dfbf57645e
> the site referenced lists the package name that the user ran to get posted
> to the site.   there appear to be many packages in pypi that are built off
> this fatezero template.
> There *appear* to be, but I checked several of the names listed there, and
> they're not on PyPI:
> https://pypi.python.org/pypi/tkinter
> https://pypi.python.org/pypi/memcached
> https://pypi.python.org/pypi/vtk
> https://pypi.python.org/pypi/python-dev
> https://pypi.python.org/pypi/opencv
> So I wonder if the data is fake. Or maybe they were already taken down? Or
> the installations are real, but not using those names.
> pypi is not a very good package management solution.  most folks I advise
> to build from pypi in CI/CD but push to production via a real package
> management solution such as apt or yum.  always double check sources coming
> from the internet.
> It's an open repository that anyone can upload to. That has its drawbacks
> and its advantages.
> _______________________________________________
> Distutils-SIG maillist  -  Distutils-SIG at python.org
> https://mail.python.org/mailman/listinfo/distutils-sig
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mail.python.org/pipermail/distutils-sig/attachments/20170601/1e0cf3a5/attachment-0001.html>

More information about the Distutils-SIG mailing list