[Distutils] Malicious packages on PyPI
Richard Jones
richard at python.org
Thu Jun 1 18:25:17 EDT 2017
On 2 June 2017 at 03:40, Thomas Kluyver <thomas at kluyver.me.uk> wrote:
> On Thu, Jun 1, 2017, at 06:32 PM, Matt Joyce wrote:
> There *appear* to be, but I checked several of the names listed there, and
> they're not on PyPI:
>
> https://pypi.python.org/pypi/tkinter
> https://pypi.python.org/pypi/memcached
> https://pypi.python.org/pypi/vtk
> https://pypi.python.org/pypi/python-dev
> https://pypi.python.org/pypi/opencv
>
> So I wonder if the data is fake. Or maybe they were already taken down? Or
> the installations are real, but not using those names.
>
Yes, we had the author take them down, please see
https://github.com/pypa/pypi-legacy/issues/644
Richard
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mail.python.org/pipermail/distutils-sig/attachments/20170602/dba9b740/attachment.html>
More information about the Distutils-SIG
mailing list