Spammers flooded the PyPI repository with links to pirated movies

Bleeping Computer reports that spammers have flooded the official Python Package Index (PyPI) repository with strange fake packages, which names reminded torrent trackers and warez sites.

Numerous packages are published on behalf of unique accounts (one package per account), which makes them difficult to delete, as well as complicated an effective fight against spam accounts.

The first to notice the problem was a senior software engineer at Sonatype, Adam Boesch, who accidentally noticed a package named after a popular television series (wandavision) in PyPI, which seemed strange to him.

Journalists note that such garbage bags are usually named after the watch-(movie name)-2021-full-online-movie-free-hd pattern, which is well known to visitors to pirated resources.

Some of these packages are already several weeks old, but spammers continue to add new ones to PyPI to this day. The publication was able to detect more than 10,000 such packages, although this estimate may be inaccurate and the actual amount of spam in PyPI is probably slightly lower.

These spoof pages tend to contain a jumble of keywords, as well as links to streaming sites whose legitimacy is highly questionable, such as https://besflix[.]com/movie/XXXXX/profile.html. what a standard spam packet page looks like.

In addition to keywords and links, packages also contain files with functional code and information about its author, which are usually taken from other legitimate PyPI packages.

For example, the watch-army-of-the-dead-2021-full-online-movie-free-hd-quality package contained the author information and code from the real jedi-language-server package. Apparently, this is how cybercriminals mask their spam and try to complicate the detection of such garbage.

Let me remind you that garbage content in PyPI and GitLab was already warned in early 2021. Then the representatives of PyPI told reporters that they knew about the observed wave of spam, and administrators are already working to eliminate it.

Apparently, until the recent time the administration of the repository has succeeded in combating such abuses.

Let me also remind you that we wrote that Python overtook JavaScript in popularity among developers.