Spammers attack PyPI and GitLab repositories

Spammers attack PyPI and GitLab
Written by Emma Davis

ZDNet writes that spammers are actively attacking the Python Package Index (PyPI) and GitLab and bombarding repositories with junk content, flooding resources with advertising of dubious sites and services. Moreover, these attacks are not related to each other.

The PyPI repository suffered more than GitLab, as the attack on it has lasted during all the last month. Spammers actively abuse the fact that anyone can create posts on the site for pages of non-existent Python libraries. As a result, they serve as SEO ads for various controversial sites.

Typically, these pages contain a jumble of keywords on topics ranging from games and porn to streaming services and fake giveaways. At the same time, a short URL often leads to fraudulent sites, where they will try to find out the payment card details from the user.

PyPI representatives told reporters that they are aware of this spam wave, and administrators are already working to eliminate it.

Our admins are working to address the spam. By the nature of, anyone can publish to it so it is relatively common. told Ewa Jodlowska, Executive Director of the Python Software Foundation.

Many of the spam lists created on the PyPI portal indeed have been deleted, but the attack seems to be still ongoing.

Similar activity has been seen on GitLab. Over the past weekend, unidentified individuals spammed the site’s Issues Tracker with similar junk, with each of these reports provoking an email being sent to the account holders.

Spammers attack PyPI and GitLab
Apparently, the GitLab administration was not ready for such an attack. The resource’s e-mail system was eventually overloaded, slowed down, and regular emails were delayed and queued.

We confirmed that mail latency was caused by a user’s spam attack. Mitigation is in progress, as we drain the offending job processing queues.said

The publication notes that such a vector of spreading spam (through repositories) is still a new tactic for spam groups, which usually focus on blogs, forums and news portals, where comment sections are often filled with dubious links.

As I said, developer Lukas Martini discovered that malicious Python libraries stole SSH and GPG keys. As a result, two libraries that were caught stealing keys from developer projects were removed from the PyPI repository.

User Review
0 (0 votes)
Comments Rating 0 (0 reviews)

About the author

Emma Davis

I'm writer and content manager (a short time ago completed a bachelor degree in Marketing from the Gustavus Adolphus College). For now, I have a deep drive to study cyber security.

Leave a Reply