pypi / support

Issue tracker for support requests related to using https://pypi.org
92 stars 48 forks source link

Mass name squat by user: david-aws #2171

Closed luisenp closed 1 year ago

luisenp commented 2 years ago

PyPI user performing the mass project name squatting

https://pypi.org/user/david-aws

Additional information

I'm one of the authors of Theseus, a recently released library which we are planning to upload to pypi under the name "theseus-ai". However, I just noticed this name was taken 3 hours ago by a seemingly fake user that has a lot of projects with information copy pasted from the internet, all created within the last 4 months.

For example, the readme for "theseus-ai" has been taken from this unrelated repository, which is not even written in Python. Same happens for another project by this user, named "pango", which points to this. A quick glance through the list suggest this is the case for all of the author's projects, and in general this profile is very suspicious.

Is there anything that can be done about this? I appreciate any orientation on this matter. Thanks!

Code of Conduct

luisenp commented 2 years ago

This user just added another repository, it's even using the same README as "theseus-ai" --> https://pypi.org/project/gsuite-grant-analyzer/

yeraydiazdiaz commented 1 year ago

I've reached out to the owner of these packages for clarification on his actions.

At the moment he's registered 23 projects and has been willing to transfer projects to users who have contacted him at least in two separate occasions.

luisenp commented 1 year ago

They transferred the project to us after claiming this as a security vulnerability. Seems to be a bounty hunter. I decided to leave this task up so you could decide if this was fair use of pypi or not. Feel free to close this issue as you see fit.

yeraydiazdiaz commented 1 year ago

Yes, the owner replied confirming that he is a bounty hunter. I've informed him that this is explictly not permitted in PyPI's acceptable use policy, specifically:

Note that this includes dual-use content, including content that is used for research into vulnerabilities, malware, or exploits, including bug bounties. We consider PyPI to be a platform used primarily for installation and run-time use of code, and not for research.

For clarity any security issues should be reported following the PyPI's security guidelines.

ewdurbin commented 1 year ago

this mass name squat has been handled.