[Distutils] Malicious packages on PyPI
xav.fernandez at gmail.com
Thu Jun 1 15:31:59 EDT 2017
This makes me remember
https://hackernoon.com/building-a-botnet-on-pypi-be1ad280b8d6 on a related
On Thu, Jun 1, 2017 at 7:40 PM, Thomas Kluyver <thomas at kluyver.me.uk> wrote:
> On Thu, Jun 1, 2017, at 06:32 PM, Matt Joyce wrote:
> It's basically a test dummy package that reports users who have ran that
> package template.
> That's what I thought, but all the code to do the upload seems to have
> been removed before s/he built those packages. Now it's just a harmless
> warning, unless I'm missing something.
> the site referenced lists the package name that the user ran to get posted
> to the site. there appear to be many packages in pypi that are built off
> this fatezero template.
> There *appear* to be, but I checked several of the names listed there, and
> they're not on PyPI:
> So I wonder if the data is fake. Or maybe they were already taken down? Or
> the installations are real, but not using those names.
> pypi is not a very good package management solution. most folks I advise
> to build from pypi in CI/CD but push to production via a real package
> management solution such as apt or yum. always double check sources coming
> from the internet.
> It's an open repository that anyone can upload to. That has its drawbacks
> and its advantages.
> Distutils-SIG maillist - Distutils-SIG at python.org
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the Distutils-SIG