Official Python software package repository flooded with spam
Spam packages used to drive traffic to pirated movie links
The official Python software package repository PyPI is under attack from threat actors that have begun flooding it with spam packages according to a new report from BleepingComputer.
These spam packages use a naming style that is commonly associated with torrents and other pirated content online where each package's name contains the title of a movie, the current year and the words online and free like this “watch-army-of-the-dead-2021-full-online-movie-free-hd-quality”.
- We've built a list of the best endpoint protection software
- These are the best laptops for developers on the market
- Also check out our roundup of the best firewall
Senior software engineer at Sonatype, Adam Boesch first discovered these suspicious packages when he found a PyPI component named after a popular TV show. Boesch provided further insight on his discovery in an interview with BleepingComputer, saying:
"I was looking through the dataset and noticed 'wandavision' which is a bit strange for a package name. Looking closer I found that package and looked it up on PyPI because I didn't believe it. It's not uncommon in other ecosystems like npm, where you have millions of packages. Packages like these luckily are fairly easy to spot and avoid.”
Spam packages
In addition to spam keywords and links to illegal video streaming sites, the spam packages found on PyPI also contain files with functional code and author information stolen from legitimate Python software packages.
When BleepingComputer discovered a spam package titled “watch-army-of-the-dead-2021-full-online-movie-free-hd-quality” and investigated it, the news outlet found that it contained author information as well as some code from the “jedi-language-server” PyPI package.
While many similarly named packages used to be easy to find through a search for “full-online-movie-free” on PyPI, at the time of writing, it appears that the maintainers of the Python Package Index repository have cleaned up most of the spam.
Are you a pro? Subscribe to our newsletter
Sign up to the TechRadar Pro newsletter to get all the top news, opinion, features and guidance your business needs to succeed!
However, Python developers looking for new packages on the repository should exercise caution if they decide to download and open any of these spam packages as they could likely contain malware or other malicious code.
- We've also featured the best antivirus
Via BleepingComputer
After working with the TechRadar Pro team for the last several years, Anthony is now the security and networking editor at Tom’s Guide where he covers everything from data breaches and ransomware gangs to the best way to cover your whole home or business with Wi-Fi. When not writing, you can find him tinkering with PCs and game consoles, managing cables and upgrading his smart home.