Spammers flood PyPI with pirated movie links and bogus packages

3 years ago 182
BOOK THIS SPACE FOR AD
ARTICLE AD

pypi

The official Python software package repository, PyPI, is getting flooded with spam packages, as seen by BleepingComputer.

These packages are named after different movies in a style that is commonly associated with torrents and "warez" sites hosting pirated content.

Each of these packages is posted by a unique pseudonymous maintainer account, making it challenging for PyPI to remove the packages and spam accounts all at once.

PyPI is being flooded with spam packages

PyPI is being flooded with spam packages named after popular movies in a style commonly associated with torrent or "warez" sites that provide pirated downloads: watch-(movie-name)-2021-full-online-movie-free-hd-...

The discovery came to light when Adam Boesch, senior software engineer at Sonatype was auditing a dataset and noticed a funny-sounding PyPI component named after a popular TV sitcom.

"I was looking through the dataset and noticed 'wandavision' which is a bit strange for a package name."

"Looking closer I found that package and looked it up on PyPI because I didn't believe it," Boesch told BleepingComputer in an interview.

pypi spam packagesPyPI repository flooded with spam packages since a few weeks ago
Source: BleepingComputer

Although some of these packages are a few weeks old, BleepingComputer observed that spammers are continuing to add newer packages to PyPI, as recently as an hour ago.

The search result count of "10,000+" could be inaccurate, as we observed the actual number of spam packages being shown on PyPI repository was much less. 

The web page for these bogus packages contain spam keywords and links to movie streaming sites, albeit of questionable legitimacy and legality, such as:

https://besflix[.]com/movie/XXXXX/profile.html

Below is one example of the many packages posted about an hour ago, at the time of writing:

PyPI spam packages posted todaySpammers continue to flood PyPI today, at the time of writing
Source: BleepingComputer

BleepingComputer also observed each of these packages were published by a distinct author (maintainer) account using a pseudonym, likely to make it hard for PyPI admins to take these packages down.

Today's finding comes to light after in February, PyPI had been flooded with bogus "Discord", "Google", and "Roblox" keygens in a massive spam attack, as reported by ZDNet.

At the time, Ewa Jodlowska, Executive Director of the Python Software Foundation had told ZDNet that the PyPI admins were working on addressing the spam attack, however, by the nature of pypi.org, anyone could publish to the repository, and such occurrences were common.

Packages contain code from legitimate PyPI components

Other than containing spam keywords and links to quasi-video streaming sites, these packages contain files with functional code and author information lifted from legitimate PyPI packages.

For example, BleepingComputer observed that the spam package "watch-army-of-the-dead-2021-full-online-movie-free-hd-quality," contained author information and some code from the legitimate PyPI package, "jedi-language-server."

inside of PyPI spam packagesInside of PyPI spam packages is code borrowed from real components
Source: BleepingComputer

As previously reported by BleepingComputer, malicious actors have combined code from legitimate packages with otherwise bogus or malicious packages to mask their footsteps, and make the detection of these packages a tad more challenging.

"It's not uncommon in other ecosystems like npm, where you have millions of packages. Packages like these luckily are fairly easy to spot and avoid."

"Always a good idea to investigate a package before using it. If something seems off, there's a reason for that," smiled Boesch.

In recent months, the attacks on open-source ecosystems like npm, RubyGems, and PyPI have escalated.

Threat actors have been caught flooding software repositories with malware, malicious dependency confusion copycats, or simply vigilante packages to spread their message.

As such, securing these repositories has turned into a whack-a-mole race between threat actors and repository maintainers.

BleepingComputer has reached out to PyPI for comment before publishing and we are awaiting their response.

Read Entire Article