Embedded Files
We detected over 2,000 malicious packages in Tsinghua, Tencent, Douban, and Bfsu PyPI Mirrors using the IntelliRadar Pipeline. These mirror maintainers confirmed all package intelligence and sent a letter of thanks to me.
Additionally, Douban redirects to Tencent, and Bfsu redirects to Tsinghua.
The RQ5 table results were scanned on 2024-04-01, and the RQ5-2 table results were scanned on 2025-01-05. All findings have been reported to the relevant mirror maintainers.
Tencent Email Translation
Hello, XXX,
We have received your letter and have cleaned up and resynchronized the relevant malicious packages as soon as possible. You are welcome to retest and verify at any time.
Thank you very much for your contribution to open source and security!
Let's communicate here. Can we establish a long-term mechanism in the future, or can you provide an evaluation method so that we can automatically identify or automatically obtain the latest list for automatic cleaning?
Tsinghua Email Translation
Hello,
Thanks for your reminder. Most of the packages in the list no longer exist upstream, but the synchronization mechanism of PyPI has prevented them from being deleted. We are using third-party tools to batch process such residual packages.
There are several other feedbacks as follows:
Some of the addresses are from Tencent open source mirrors and have nothing to do with TUNA.
The problem you reported to USTC by email does not exist. USTC's mirrors have been redirected to the bfsu mirror managed by tuna.
Any security embargo needs to be conducted in a responsible manner. As a security researcher, you should be aware of the dangers of directly disclosing sensitive information in public issues.
Best wishes,
XXX
You can find the Tencent and Tsinghua original email from here.
https://drive.google.com/file/d/14Eo9OSQTJ_e-GsVygdQTOWba4CgRxpm0/view?usp=sharing
https://drive.google.com/file/d/1G8wmRSR5rxjwMJwbQ9HI38kDVBx5lHRE/view?usp=sharing
Page updated
Google Sites
Report abuse