What is the story behind "russianidiot" on PyPI?
I was doing some analysis of Python package metadata on PyPI when I came across the russianidiot account.
They have at least 132 packages on PyPI, but most of the repos don't seem to do anything interesting. Indeed, many of them do things that are trivial, or in some cases, do things that I would consider incorrect.
If it was just someone making packages for their own amusement, I would say "whatever". But some of these packages are downloaded millions of times:
In the past 6 months:
- request: >2,000,000 downloads
- public: >1,600,000 downloads
- setupfiles: >1,600,000 downloads
- get: >1,600,000 downloads
- post: >1,600,000 downloads
- query_string: >1,600,000 downloads
This puts them all in the top 0.3% most downloaded Python packages!
Perhaps I haven't gotten enough sleep, or I have read too many scary stories.
But now I'm wondering if anyone has looked into these packages before. Are they malicious? Are the packages typo-squatting (ex.
request is very similar to
requests, the 8th most popular Python package)?
I've tried looking at the source, and I don't see anything obviously malicious. Could someone help allay my fears? Has anyone looked into this account already?