Developers of the Python Paki Pypi (Python Package Index) have reported the introduction of a block on the use of postal addresses @inbox.ru when registering new projects and attaching additional emails to existing projects. The cause of this action was due to spamming activities, where over 250 accounts were created and more than 1,500 projects were generated to potentially mislead users and pose security threats.
The created projects were designed to mimic non-existent libraries, using names similar to popular projects or engaging in practices known as Slopsquatting. Prior to the block by Pypi administrators, these projects did not contain any actual code. However, there were concerns that they could be utilized in the future for attacking users who blindly follow chatbot recommendations or make errors while typing package names.
For instance, some packages were named after command line tools or libraries, even though the functionalities they claimed to offer were different. A recent study revealed that utilizing ChatGPT, an AI model, was highly effective in creating fake software packages. In one experiment, a non-existent library called “HugingFace-Cli” was recommended for installation through the Pip Install HugingFace-Cli command. The researcher uploaded a project with this name on Pypi, and it was downloaded more than 30,000 times within three months.