Security News > 2021 > May > Spammers flood PyPI with pirated movie links and bogus packages
Each of these packages is posted by a unique pseudonymous maintainer account, making it challenging for PyPI to remove the packages and spam accounts all at once.
PyPI is being flooded with spam packages named after popular movies in a style commonly associated with torrent or "Warez" sites that provide pirated downloads: watch-(movie-name)-2021-full-online-movie-free-hd-.... The discovery came to light when Adam Boesch, senior software engineer at Sonatype was auditing a dataset and noticed a funny-sounding PyPI component named after a popular TV sitcom.
Although some of these packages are a few weeks old, BleepingComputer observed that spammers are continuing to add newer packages to PyPI, as recently as an hour ago.
BleepingComputer also observed each of these packages were published by a distinct author account using a pseudonym, likely to make it hard for PyPI admins to take these packages down.
Other than containing spam keywords and links to quasi-video streaming sites, these packages contain files with functional code and author information lifted from legitimate PyPI packages.
As previously reported by BleepingComputer, malicious actors have combined code from legitimate packages with otherwise bogus or malicious packages to mask their footsteps, and make the detection of these packages a tad more challenging.