https://github.com/fate0/cookiecutter-evilpy-package/tree/master/%7B%7Bcookiecutter.package_name%7D%7D
that's the package repo on github. It's basically a test dummy package that reports users who have ran that package template. the site referenced lists the package name that the user ran to get posted to the site. there appear to be many packages in pypi that are built off this fatezero template. it is non destructive... as a test payload. but the method used is obviously highly successful as an attack vector. there may be more nefarious packages already in pypi. pypi is not a very good package management solution. most folks I advise to build from pypi in CI/CD but push to production via a real package management solution such as apt or yum. always double check sources coming from the internet. -Matt On Thu, Jun 1, 2017 at 1:24 PM, Thomas Kluyver <tho...@kluyver.me.uk> wrote: > On closer examination, those packages do not actually appear to upload > any information - they seem to be empty packages placed there to serve > as a warning. > > It's not clear to me whether the data on the fatezero.org website is > from other packages which really do upload data, or if it's fake. > > On Thu, Jun 1, 2017, at 06:18 PM, Thomas Kluyver wrote: > > Are we aware of this? > > http://evilpackage.fatezero.org/ > > > > I recall there were a couple of these before which were taken down, but > > someone appears to have made a cookiecutter template so you can very > > easily claim names on PyPI, and anyone who installs that package will > > submit their information to that site. A couple that are up at the > > moment: > > > > https://pypi.python.org/pypi/requirements-txt/1.1.1 > > https://pypi.python.org/pypi/ztz/0.1.1 > > > > Do we delete them? Do we try to detect similar packages being uploaded > > and block them? I suspect it's a waste of time to try to prevent this in > > general, but maybe it's worth protecting likely names that people might > > 'pip install' by mistake, such as requirements-txt. > > > > Thomas > > _______________________________________________ > > Distutils-SIG maillist - Distutils-SIG@python.org > > https://mail.python.org/mailman/listinfo/distutils-sig > _______________________________________________ > Distutils-SIG maillist - Distutils-SIG@python.org > https://mail.python.org/mailman/listinfo/distutils-sig >
_______________________________________________ Distutils-SIG maillist - Distutils-SIG@python.org https://mail.python.org/mailman/listinfo/distutils-sig
