This is a collection of (mostly) malicious campaigns targeting package ecosystems, currently limited to PyPI.
Data are sourced only from what I've seen in my analysing lab and are exported here periodically. The classification is mostly arbitrary and may not follow any strict criteria.
Published are information about campaigns as well as list of identified package names. This repository does not (and will not) contain the source code of mentioned packages.
Web representation: bad-packages.kam193.eu
pypi/- automatically extracted data about packages from PyPI ecosystem.campaigns/<category>- list of campaigns in a category, each one as JSON filepackages/<category>/json/- alternative structure with basic package info as JSON files.
Currently, I publish following categories:
- malicious - the campaign has clearly malicious intent, like infostealers;
- spam - advertisements, spam packages etc.;
- pentest - packages with high confidence of being created for a pentest (actually used rarerly, with the probably_pentest taking most of pentesting packages);
- probably_pentest - packages looking like typical pentest packages, but also anything that looks like testing, exploring pre-prepared kits, research & co, with clearly low-harm possibilities;
- highly_suspicious - packages that are likely malicious, but due to the obfuscation level, lack of time or clear indicators it's hard to say what exactly they do; the highest risk of false positives.
- high_risk_hacking_tools - packages that are very likely to be used to build or as part of a malware, in most cases. They are not malicious on their own, but are quite a good indicator of someting suspicious.
In my opinion, you should not have any of those packages in your environment.
Data are presented as-is without any guarantee. Detection, classification, analyse & co. are done as a hobby activity, you use the information at your own risk. There are possible mistakes or highly opinionated classifications.
You're free to use data exposed here as long as you attribute the source.