Removed packages are still listed on packagecontrol.io

[deathaxe]

Packages like One Dark Color Scheme have been removed from registry years ago. They are still listed at packagecontrol.io however.

[markarce]

I was recently browsing for packages and found what appears to be a removed package with a malicious / naughty link. https://packagecontrol.io/packages/Makefile%20Improved The homepage and author links include the following url: quelltexter (DOT) org The url redirects to a porn thumbnail page of some kind. One can imagine why this might be a problem while browsing packages at say, the office.

Abandoned / deleted packages can still show up in search (on packagecontrol.io and in the packagecontrol plugin) and cause problems when, for example, domains change hands and the new owner does something else (as in this case).

[deathaxe]

I am slightly concerned about "Makefile Improved" as the related repository has been removed in Aug 2020. (https://github.com/wbond/package_control_channel/commit/ee4939071d56e5fb09c93684fa712df983e3399b)

As all readme links of all packages of klorenz point to the same malicious URL, it appears packagecontrol.io may have been compromized.

[markarce]

I think it’s more likely that klorenz registered the domain originally and let the domain expire, and the expired domain was then registered by the malicious actor who set it to redirect to where it does now.