Skip to content

Malicious & suspicious packages

This is a collection of campaigns targeting package ecosystems, currently limited to PyPI.

Data are sourced (with small exceptions) from what I've seen in my analysing lab and are exported here periodically. The classification is mostly arbitrary and may not follow any strict criteria.

All published packages have been manually checked.

Notice

The web representation is a WIP.

Content

Packages are grouped in campaigns, which describe the activity. At the moment, there is no additional description on the package level. As sometimes the behaviour changes over time, the campaign description may not describe exactly the package behaviour.

The current focus is on packages that are created for malicious purposes, and not on hacked versions of legitimate packages. As so, there is currently no information about specific versions.

Disclaimer

Data are presented as-is without any guarantee. Detection, classification, analyse & co. are done as a hobby activity, you use the information at your own risk. There are possible mistakes or highly opinionated classifications.