tl;dr “Just try to ignore them”

I’ve subscribed to PyPI’s new packages feed for some time. In recent days, it’s like Déjà vu. I kept seeing same sentence over and over again:

A simple printer of nested lists

But the packages all are different. At first, I thought, this nested list printing thing must be a big deal, even I really don’t have any idea how so.

I started to feel really weird for seeing so many packages for exactly same task, deep inside, it’s telling me something is wrong, so I downloaded one and began to understand what that was all about and as I searched “simple printer of nested lists”, I knew exactly what they are:

https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhX1BCXJl69AVYED-AqY7fdrHHNrRstQr6Rvq1s0esQbBjqvB__51-7D9Mv1Fq4IHj373ayTis-R3B2RDSw32Fz-RDIRX5nsvyDQAYMKXmzkJ6K_yw8RNIn4Pv3mi61UEb_to-dkwyn4O4/s640/2014-02-18--07%253A33%253A46.png

They are spams.

The content of the package (zip or tarball) always is:

PKG-INFO
nester.py
setup.py

The module filename may differ—in this case, it’s nester.py—but the code in the file is always with the same strange function name:

def print_lol(...):

It sometimes has different arguments andd some additional comments, I believe all are to make confusion. But the goal and purpose are clear, using url in setup.py for luring people to the websites, which is linked on PyPI. Some of those packages don’t even have files uploaded, just a website link.

It seems to start around 2014-02-12, according to the first package. I have filed a report and got a quick response:

Richard Jones: I regularly clean out these modules. Just try to ignore them.

Apparently, it must be more common than I thought.

I have seen spams on GitHub, now PyPI, wondering who’s next. Whoever next, if you see any on PyPI like I do, well, all you can do is: ignore them.