The Python Package Index (PyPI), a software library for the Python programming language that helps find and install software developed and shared by the Python community, is being inundated with junk packages.
The names of these packages are similar to various popular movies, which remind us of torrent and pirated content spread over the Internet: watch-(movie-name) -2021-full-on-line-movie-free-HD -…
Each package is published by a fictitious maintainer account, which makes it difficult for the Python Package index to get rid of both packages and spam accounts.
Adam Boesch, a senior software engineer at Sonatype, discovered the problem when he audited a data set and identified a PyPI component named after a popular TV sitcom, which sounded odd.
I noticed ‘wandavision’ while looking at the data set, which is a bit strange for a package name.
Because I didn’t believe it, I looked it up more closely and looked it up on PyPI.
According to BleepingComputer, spammers keep adding updated packages to PyPI, even though some of them are weeks old.
The “10,000+” number in the search results may be inaccurate, as they note that the true number of spam packages displayed in the PyPI warehouse is much lower.
Here is an example from the many packages that have been released before.
In February, fake “Discord, “”Google,” and “Roblox “flooded PyPI in a huge spam attack, ZDNet reported. Ewa Jodlowska, executive director of the Python Software Foundation, told the technology news site that PyPI administrators are working to combat spam attacks, but that because of the nature of pypi.org, anyone can post to the repository, such incidents are not uncommon.
These packages include not only links to quasi-video streaming sites and keywords for spam, but also files of working code and author information limited to valid PyPI packages.
Bleeping Computer noticed that the “watching-arm-of-the-Dead-2021-full-on-the-movie-free-HD-quality” spam package, “Contains author information and some code from the legitimate PyPI package” Jedi-Language-Server “.
To prevent these packages from being easily discovered, malicious hackers combine the code of valid packages with fake or malicious packages to hide their tracks.
Adam Boesch said.
This is not uncommon in other ecosystems, such as NPM, where you have millions of packages. Bags like this, fortunately, are fairly easy to spot and avoid.”
It’s always a good idea to investigate a software package before using it. If something doesn’t look right, there’s a reason for it.
Attacks on open source ecosystems such as NPM, RubyGems and PyPI have increased rapidly recently. We see cybercriminals full of malware, malicious imitators, or just vigilante software packages to spread their message.
Protecting these repositories has become akin to a game in which players use mallets to beat random toy moles back into their holes between cybercriminals and repository maintainers.
The original link: heimdalsecurity.com/blog/pypi-r…