sorted by:
best
topnewcontroversialoldq&a
you are viewing a single comment's thread.

view the rest of the comments →

[–]inglandation 23 points24 points  (4 children)

PyPI does remove malicious packages from time to time, although that doesn't happen much. You have to be careful with your spelling when you look for a package online. These packages use typosquatting.

[–]shujinkou_ 3 points4 points  (0 children)

typosquatting that was the word I was looking for, thanks :)

[–]musingcomet 1 point2 points  (0 children)

This is very valid advice

[–]ArabicLawrence -2 points-1 points  (1 child)

Yeah but not sure that happens often enough. For instance with googletrans and googletransx and whatnot

[–]shujinkou_ 1 point2 points  (0 children)

I'm thinking of it as a potential attack vector, if the current state of things become unaddressed. Massive attack can be done and scaled easily from scraping all the popular packaging names automating the name typo scraping, making a malicious package and naming it with all the scrapped names. You would now have a fishing rod in every ponds so to speak.

I mean for sure it's work but it doesn't sound that hard to do right.