Official Python software package repository flooded with spam
Spam packages used to drive traffic to pirated movie links
When you purchase through links on our site, we may earn an affiliate commission.Here’s how it works.
The officialPythonsoftware package repository PyPI is under attack from threat actors that have begun flooding it with spam packages according to anew reportfromBleepingComputer.
These spam packages use a naming style that is commonly associated withtorrentsand other pirated content online where each package’s name contains the title of a movie, the current year and the words online and free like this “watch-army-of-the-dead-2021-full-online-movie-free-hd-quality”.
Senior software engineer atSonatype, Adam Boesch first discovered these suspicious packages when he found a PyPI component named after a popular TV show. Boesch provided further insight on his discovery in an interview withBleepingComputer, saying:
“I was looking through the dataset and noticed ‘wandavision’ which is a bit strange for a package name. Looking closer I found that package and looked it up on PyPI because I didn’t believe it. It’s not uncommon in other ecosystems like npm, where you have millions of packages. Packages like these luckily are fairly easy to spot and avoid.”
Spam packages
In addition to spam keywords and links to illegal video streaming sites, the spam packages found on PyPI also contain files with functional code and author information stolen from legitimate Python software packages.
WhenBleepingComputerdiscovered a spam package titled “watch-army-of-the-dead-2021-full-online-movie-free-hd-quality” and investigated it, the news outlet found that it contained author information as well as some code from the “jedi-language-server” PyPI package.
While many similarly named packages used to be easy to find through a search for “full-online-movie-free” on PyPI, at the time of writing, it appears that the maintainers of the Python Package Index repository have cleaned up most of the spam.
Are you a pro? Subscribe to our newsletter
Sign up to the TechRadar Pro newsletter to get all the top news, opinion, features and guidance your business needs to succeed!
However,Python developerslooking for new packages on the repository should exercise caution if they decide to download and open any of these spam packages as they could likely containmalwareor other malicious code.
ViaBleepingComputer
After working with the TechRadar Pro team for the last several years, Anthony is now the security and networking editor at Tom’s Guide where he covers everything from data breaches and ransomware gangs to the best way to cover your whole home or business with Wi-Fi. When not writing, you can find him tinkering with PCs and game consoles, managing cables and upgrading his smart home.
New fanless cooling technology enhances energy efficiency for AI workloads by achieving a 90% reduction in cooling power consumption
Samsung plans record-breaking 400-layer NAND chip that could be key to breaking 200TB barrier for ultra large capacity AI hyperscaler SSDs
NYT Strands today — hints, answers and spangram for Sunday, November 10 (game #252)
