The official Python (opens in new tab) software package repository PyPI is under attack from threat actors that have begun flooding it with spam packages according to a new report (opens in new tab) from BleepingComputer.
These spam packages use a naming style that is commonly associated with torrents (opens in new tab) and other pirated content online where each package's name contains the title of a movie, the current year and the words online and free like this “watch-army-of-the-dead-2021-full-online-movie-free-hd-quality”.
- We've built a list of the best endpoint protection software (opens in new tab)
- These are the best laptops for developers (opens in new tab) on the market
- Also check out our roundup of the best firewall (opens in new tab)
Senior software engineer at Sonatype (opens in new tab), Adam Boesch first discovered these suspicious packages when he found a PyPI component named after a popular TV show. Boesch provided further insight on his discovery in an interview with BleepingComputer, saying:
"I was looking through the dataset and noticed 'wandavision' which is a bit strange for a package name. Looking closer I found that package and looked it up on PyPI because I didn't believe it. It's not uncommon in other ecosystems like npm, where you have millions of packages. Packages like these luckily are fairly easy to spot and avoid.”
In addition to spam keywords and links to illegal video streaming sites, the spam packages found on PyPI also contain files with functional code and author information stolen from legitimate Python software packages.
When BleepingComputer discovered a spam package titled “watch-army-of-the-dead-2021-full-online-movie-free-hd-quality” and investigated it, the news outlet found that it contained author information as well as some code from the “jedi-language-server” PyPI package.
While many similarly named packages used to be easy to find through a search for “full-online-movie-free” on PyPI, at the time of writing, it appears that the maintainers of the Python Package Index repository have cleaned up most of the spam.
However, Python developers (opens in new tab) looking for new packages on the repository should exercise caution if they decide to download and open any of these spam packages as they could likely contain malware (opens in new tab) or other malicious code.
- We've also featured the best antivirus (opens in new tab)
Via BleepingComputer (opens in new tab)