The official Python software package repository PyPI is under attack from threat actors that have begun flooding it with spam packages according to a new report from BleepingComputer.
These spam packages use a naming style that is commonly associated with torrents and other pirated content online where each package’s name contains the title of a movie, the current year and the words online and free like this “watch-army-of-the-dead-2021-full-online-movie-free-hd-quality”.
Senior software engineer at Sonatype, Adam Boesch first discovered these suspicious packages when he found a PyPI component named after a popular TV show. Boesch provided further insight on his discovery in an interview with BleepingComputer, saying:
“I was looking through the dataset and noticed ‘wandavision’ which is a bit strange for a package name. Looking closer I found that package and looked it up on PyPI because I didn’t believe it. It’s not uncommon in other ecosystems like npm, where you have millions of packages. Packages like these luckily are fairly easy to spot and avoid.”
Spam packages
In addition to spam keywords and links to illegal video streaming sites, the spam packages found on PyPI also contain files with functional code and author information stolen from legitimate Python software packages.
When BleepingComputer discovered a spam package titled “watch-army-of-the-dead-2021-full-online-movie-free-hd-quality” and investigated it, the news outlet found that it…
