Mass name squat by user: kin #5839
Description
PyPI user performing the mass project name squatting
Additional information
PyPI user kin has uploaded 38 packages.
They registered their PyPI account on the 26th May 2022.
They last updated 1 package on the 26th May 2022, 36 packages on the the 29th May 2022 and 1 package on 14th June 2022.
All the packages have almost the same description: A daily useful kit by ..., where ... is either 'KIN' or 'WU'.
The packages I have inspected have blank READMEs, and invalid GitHub links.
The email addresses listed in the respective setup.py files are invalid.
I've tried emailing the address listed in setup.py for the 'abs' package ([email protected]), but it bounced because the address could not be found.
The email address listed in other packages that I've checked is either [email protected], which doesn't exist, or a clearly fake email [email protected].
So far as I can tell, the uploaded packages are not malware.
They are not completely empty packages, but they don't do very much.
For example, the package kinn contains two empy .py files, and a file called wy.py which contains the following function:
def log(log_str):
print(log_str)And that's the whole package.
Their most recently updated package yue is the exception, as it has 6 releases, and a function to send a notification to an API. It also inlines some of the code from the other packages, such as a variant of the log function above.
My personal interest is that I want to use the package name abs for a new package I'm developing to download and clean data from the Australian Bureau of Statistics (ABS).
I considered requesting a PEP 541 name transfer just for the abs package, however, when I noticed the large number of unmaintained low utility packages uploaded on the same date by this user, I thought perhaps a name squat issue was more appropriate.
Code of Conduct
- I agree to follow the PSF Code of Conduct