According to foreign media BleepingComputer, the official Python package repository PyPI was flooded with junk packages.
These packages are named after different movies, and their styles are related to pirated websites that store pirated content, such as watch-(movie-name)-2021-full-online-movie-free-hd-....
Each junk software package is published by a unique pseudonymous maintainer account, which makes it more difficult for PyPI to delete junk software packages and junk accounts at one time.
These garbage packets were first discovered by Adam Boesch, a senior software engineer at Sonatype. When reviewing the data set, he found a PyPI component named after a popular TV series.
"When I browsed the data set, I noticed that there was a component whose name was "Wanda vision". The name of the package was a bit strange. After careful inspection, I found that package and performed it on PyPI. Finding. This situation is not uncommon in other ecosystems, such as npm, which contains millions of packages. Fortunately, such packages are easy to find and avoid.”
Since a few weeks ago, the PyPI library is full of junk software packages (Source: BleepingComputer)
Some of these packages are several weeks old, but spammers continue to add new packages to PyPI. The web pages of these fake packages contain spam keywords and links to movie streaming sites, although their legitimacy is questionable. For example: https://besflix[.]com/movie/XXXXX/profile.html
In addition to containing spam keywords and links to video streaming sites, these packages also contain files with function codes and author information stolen from legitimate PyPI packages. For example, the junk package "watch-army-of-the-dead-2021-full-online-movie-free-hd-quality" contains author information and some code from the legitimate PyPI package "jedi-language-server".
PyPI garbage package contains code stolen from real components (Source: BleepingComputer)
Searching for "full-online-movie-free" on PyPI can easily find many such named packages. At present, the maintainer of the Python package repository seems to have cleaned up most of the junk packages.
However, Python developers should also be extra cautious when downloading and opening any junk packages in them, as they are likely to contain malware or other malicious code.
Combining the code in legitimate packages with fake or malicious packages can help conceal the traces of attackers and make the detection of these packages more challenging.
According to ZDNet reports, in February this year, PyPI was flooded with fake "Discord", "Google" and "Roblox" keygens due to a large-scale spam attack.
At the time, Ewa Jodlowska, executive director of the Python Software Foundation, said that PyPI administrators are working hard to solve spam attacks. However, according to the nature of pypi.org, anyone can publish to the repository, so this is very common.
In recent months, attacks on open source ecosystems such as npm, RubyGems, and PyPI have escalated. Attackers use malicious software and malicious dependence to obfuscate copycat to flood the software library and spread its information. Protecting these software repositories has become a mole-playing game between attackers and repository maintainers.
Reference link:
**粗体** _斜体_ [链接](http://example.com) `代码` - 列表 > 引用。你还可以使用@来通知其他用户。