These spam packages use a naming style that is commonly associated with torrents and other pirated content online where each package's name contains the title of a movie, the current year and the words online and free like this “watch-army-of-the-dead-2021-full-online-movie-free-hd-quality”.
- We've built a list of the best endpoint protection software
- These are the best laptops for developers on the market
- Also check out our roundup of the best firewall
Senior software engineer at Sonatype, Adam Boesch first discovered these suspicious packages when he found a PyPI component named after a popular TV show. Boesch provided further insight on his discovery in an interview with BleepingComputer, saying:
"I was looking through the dataset and noticed 'wandavision' which is a bit strange for a package name. Looking closer I found that package and looked it up on PyPI because I didn't believe it. It's not uncommon in other ecosystems like npm, where you have millions of packages. Packages like these luckily are fairly easy to spot and avoid.”
In addition to spam keywords and links to illegal video streaming sites, the spam packages found on PyPI also contain files with functional code and author information stolen from legitimate Python software packages.
When BleepingComputer discovered a spam package titled “watch-army-of-the-dead-2021-full-online-movie-free-hd-quality” and investigated it, the news outlet found that it contained author information as well as some code from the “jedi-language-server” PyPI package.
While many similarly named packages used to be easy to find through a search for “full-online-movie-free” on PyPI, at the time of writing, it appears that the maintainers of the Python Package Index repository have cleaned up most of the spam.
However, Python developers looking for new packages on the repository should exercise caution if they decide to download and open any of these spam packages as they could likely contain malware or other malicious code.
- We've also featured the best antivirus
Are you a pro? Subscribe to our newsletter
Sign up to the TechRadar Pro newsletter to get all the top news, opinion, features and guidance your business needs to succeed!
After working with the TechRadar Pro team for the last several years, Anthony is now the security and networking editor at Tom’s Guide where he covers everything from data breaches and ransomware gangs to the best way to cover your whole home or business with Wi-Fi. When not writing, you can find him tinkering with PCs and game consoles, managing cables and upgrading his smart home.
We've got exclusive photos of the world's first desktop PCs - saved from the dumpster, 52-year old Q1 PC features Intel's first 8-bit CPU and a retropunk design
'Transforming gowns in The Hunger Games': One of the world's largest software firms reveals more about dress made up of tiny displays — but don't expect that one-off wonder on shelves anytime soon