On Thu, Jun 1, 2017 at 3:20 PM, Jannis Gebauer <ja....@me.com> wrote: > This makes me remember > https://hackernoon.com/building-a-botnet-on-pypi-be1ad280b8d6 on a related > note. > > > Yep, that’s basically the same thing. Instead of using package names of > builtins, the attacker is using a combination of popular apt/yum packages > with a mix of package names with typos. > > During development, it’s not uncommon to make mistakes like: > > pip install requirements.txt (forgot the -r) > pip install requestd (typo) > pip install tkinter (not registered) > > Or to use the wrong package manager (apt-get install python-dev vs. pip > install python-dev). > > I wonder if it would make sense to build some kind of blacklist for this. > According to the blog post there were close to 10k installs over a period of > just three days. I believe Debian is running some kind of popularity contest > for their packages which could be used to identify problematic packages. > This will be a lot of manual work, but I’d work on a list like this. > >
Does PyPA have a list of the most 404'ed requests for PyPI ? As pip install `doesnotexists` will get pypi's `pypi.python.org/simple/doesnotexist/` we can likely get a quick idea of what is currently unregistered and could potentially be dangerous. That seem more efficient that trying to guess. -- M _______________________________________________ Distutils-SIG maillist - Distutils-SIG@python.org https://mail.python.org/mailman/listinfo/distutils-sig
