Python Package Index
The Python Package Index or PyPI is the official third-party software repository for the Python programming language. Python developers intend it to be a comprehensive catalog of all open source Python packages.
While the PyPI website is maintained by the Python Software Foundation, its contents are uploaded by individual package maintainers. Python package managers such as pip default to downloading packages from PyPI.
Categories
Blacklist
- JFrog Detects Malicious PyPI Packages Stealing Credit Cards and Injecting Code - JFrog 보안연구팀이 몇개의 악성 패키지를 발견해서 PyPI에 제보해서 제거 완료
악성 패키지 목록
Package name | Maintainer | Payload |
noblesse | xin1111 | Discord token stealer, Credit card stealer (Windows-based) |
genesisbot | xin1111 | Same as noblesse |
aryi | xin1111 | Same as noblesse |
suffer | suffer | Same as noblesse , obfuscated by PyArmor |
noblesse2 | suffer | Same as noblesse |
noblessev2 | suffer | Same as noblesse |
pytagora | leonora123 | Remote code injection |
pytagora2 | leonora123 | Same as pytagora |
API 토큰 사용 방법
- Help · PyPI # How can I use API tokens to authenticate with PyPI?
- How to upload your package to the Python Package Index (PyPI) test server · Not sorry for the inconvenience
To use an API token:
- Set your username to
__token__
- Set your password to the token value, including the
pypi-
prefix
로컬에서 사용할 경우 $HOME/.pypirc
파일에 다음과 같이 추가: