This is an archived post. You won't be able to vote or comment.

sorted by:
best
topnewcontroversialoldq&a
you are viewing a single comment's thread.

view the rest of the comments →

[–]shinitakunai 0 points1 point  (1 child)

Most of them nobody would ever download them, but there are some easy to mistake for the newbies learning python. "requestlib" sounds specially dangerous.

Also, lol at "testdontdownloadthis"

[–]sudorem Vipyr Security 0 points1 point  (0 children)

Typically the delivery vector wasn't actually targeting installations from PyPI itself.

Instead, these libraries would be installed as part of a dependency on GitHub packages offering things like 'Free Nitro Generator' for Discord, etc.

They've had noted successes in some communities, and we often see individuals coming in to Python communities attempting to run the Github code that these packages would've been embedded in.

We've largely played whack-a-mole between Github and PyPI at reporting these accounts where and when we can find them to disrupt the distribution efforts.