FYI: PyPI package 'colourama' (with a 'u') is MALWARE, steals bitcoin

[tartley]

FYI, someone uploaded package 'colourama' (with a 'u', spelled UK style) which acts like colorama, but also attempts to steal bitcoin from the machine it's installed on. https://developers.slashdot.org/story/18/10/27/1820259

I haven't dug into what we can or should do about it. Perhaps a prominent line in the README would be helpful? Something like:

''' Beware package 'colourama' is typosquatting MALWARE that steals bitcoin. The legit package is 'colorama' (with no 'u'). https://developers.slashdot.org/story/18/10/27/1820259 '''

[wiggin15]

Luckily, PyPI removed this package and it is not available any more. Interesting to know you're a Slashdot reader as well :)

[tartley]

Ha! I used to be, a decade ago, but dropped it in favor of hacker news, and then more recently dropped that in favor of lobste.rs.

A friend forwarded me the link.