Why Spam Packages Flooded PyPI with Pirated Movie Links and How to Stay Safe

According to BleepingComputer, the official Python package index PyPI was hit by a spam flood where attackers uploaded thousands of bogus packages named after popular movies and TV shows, often including terms like “full‑online‑movie‑free‑hd‑quality”.

Each malicious package was published under a unique fake maintainer account, making removal difficult for PyPI administrators.

Adam Boesch, a senior software engineer at Sonatype, first spotted the suspicious components and noted that similar naming patterns are common in other ecosystems such as npm.

“I noticed a package named ‘wandavision’ and, after digging, found it was one of many spam packages on PyPI. In other ecosystems this is common, but such packages are easy to spot and avoid.”

Despite some packages existing for weeks, spammers continue adding new ones; search results show over 10,000 spam packages, though fewer are visible in the repository. The bogus packages contain spam keywords, links to illegal streaming sites, and sometimes code stolen from legitimate packages, such as code from the “jedi‑language‑server” package.

PyPI maintainers have now cleaned up most of the malicious packages, but developers are advised to verify packages before use, as they may still contain malware or harmful code.

Earlier reports from ZDNet highlighted similar spam on PyPI and GitLab, and the Python Software Foundation acknowledged the challenge of distinguishing malicious from legitimate packages due to the open publishing model.

https://www.bleepingcomputer.com/news/security/spammers-flood-pypi-with-pirated-movie-links-and-bogus-packages/

https://www.zdnet.com/article/pypi-gitlab-dealing-with-spam-attacks/