> This makes me remember > https://hackernoon.com/building-a-botnet-on-pypi-be1ad280b8d6 > <https://hackernoon.com/building-a-botnet-on-pypi-be1ad280b8d6> on a related > note.
Yep, that’s basically the same thing. Instead of using package names of builtins, the attacker is using a combination of popular apt/yum packages with a mix of package names with typos. During development, it’s not uncommon to make mistakes like: pip install requirements.txt (forgot the -r) pip install requestd (typo) pip install tkinter (not registered) Or to use the wrong package manager (apt-get install python-dev vs. pip install python-dev). I wonder if it would make sense to build some kind of blacklist for this. According to the blog post there were close to 10k installs over a period of just three days. I believe Debian is running some kind of popularity contest for their packages which could be used to identify problematic packages. This will be a lot of manual work, but I’d work on a list like this.
_______________________________________________ Distutils-SIG maillist - Distutils-SIG@python.org https://mail.python.org/mailman/listinfo/distutils-sig