To demonstrate how to exploit PyPI's lack of security practices by creating an automated process to spread a potentially malicious payload. This script will create a randomly named python package on PyPI, with a potentially malicious payload that will run on the system that the PyPI package was downloaded from.
- Write your payload and put it in
setup.template
. - Get a gmail account and set
$email
and$password
environment variables to your account credentials. Runpython pypi.py
. Gmail allows you to send mail to "sub domains" i.e.<string>+<your_email>@gmail.com
. PyPI considers all of these email addresses as unique. - Run
pypi.py
Automating the entire PyPI process
- Create a new account on PyPI
- Verify your account
- Create a new Python package
- Upload to PyPI