An anonymous reader quotes a report from Ars Technica: A security update will be applied to Drive," Google's weird new email reads. If you visit drive.google.com, you'll also see a message saying, "On September 13, 2021, a security update will be applied to some of your files." You can even see a list of the affected files, which have all gotten an unspecified "security update." So what is this all about? Google is changing the way content sharing works on Drive. Drive files have two sharing options: a single-person allow list (where you share a Google Doc with specific Google accounts) and a "get link" option (where anyone with the link can access the file). The "get link" option works the same way as unlisted YouTube videos -- it's not really private but, theoretically, not quite public, either, since the link needs to be publicized somewhere. The secret sharing links are really just security through obscurity, and it turns out the links are actually guessable.

Google knew about the problem of guessable secret links for a while and changed the way link generation works back in 2017 (presumably for Drive, too?). Of course, that doesn't affect links you've shared in the past, and soon Google is going to require your old links to change, which can break them. Google's new link scheme adds a "resourcekey" to the end of any shared Drive links, making them harder to guess. So a link that used to look like "https://drive.google.com/file/d/0BxI1YpjkbX0OZ0prTHYyQ1U2djQ/" will now look like "https://drive.google.com/file/d/0BxI1YpjkbX0OZ0prTHYyQ1U2djQ/view?resourcekey=0-OsOHHiQFk1QEw6vIyh8v_w." The resource key makes it harder to guess. If you head to drive.google.com/drive/update-drives in a browser, you should be able to see a list of your impacted files, and if you mouse over them you'll see a button on the right to remove or apply the security update. "Applied" means the resourcekey will be required after September 13, 2021, and will (mostly) break the old link, while "removed" means the resourcekey isn't required and any links out there should keep working. YouTube is also making similar changes. "In 2017, we rolled out an update to the system that generates new YouTube Unlisted links, which included security enhancements that make the links for your Unlisted videos even harder for someone to discover if you haven't shared the link with them," says YouTube in a support page.

YouTube creators can decide to opt out of this change. They also have the option of making Unlisted pre-2017 videos public or re-uploading as a new Unlisted video at the expense of stats.

China ordered Tencent Holdings and 13 other developers to rectify problems related to pop-ups within their apps, adding to a wide-ranging crackdown on the country's tech sector. From a report: The companies must address the "harassing" pop-up windows, which could contain misleading information or divert users away from the apps, the Ministry of Industry and Information Technology said in a statement on Wednesday. The 14 services, including an e-books app by Tencent's QQ and a video platform by Le.com, will have to fix the problems by Aug. 3. "Failure to abide by regulations" will not be tolerated and will be "penalized" accordingly, said the ministry.

Pop-ups, often used for advertising, are just the latest targets in a series of government crackdowns that have ranged from antitrust to data security, as Beijing seeks to rein in the tech giants' influence over most of everyday life. The crackdown has stepped into high gear in recent days after regulators announced their toughest-ever curbs on the online education sector and issued edicts governing food delivery, fueling a rout in Chinese tech stocks. The statement by MIIT comes days after the regulator announced a six-month crackdown on illegal online activities. The ministry on Monday said it will take steps to root out violations involving pop-ups, data collection and storage as well as the blocking of external links. Other regulators including the Cyberspace Administration of China have also pledged to tighten restrictions on misleading and explicit content used for marketing purposes. The watchdog said such material will be subject to harsher oversight, issuing fines against companies like Tencent, Kuaishou Technology and Alibaba Group Holding Ltd. for offensive content.

A counterterrorism organization formed by some of the biggest U.S. tech companies including Facebook and Microsoft is significantly expanding the types of extremist content shared between firms in a key database, aiming to crack down on material from white supremacists and far-right militias, the group told Reuters. From the report: Until now, the Global Internet Forum to Counter Terrorism's (GIFCT) database has focused on videos and images from terrorist groups on a United Nations list and so has largely consisted of content from Islamist extremist organizations such as Islamic State, al Qaeda and the Taliban. Over the next few months, the group will add attacker manifestos -- often shared by sympathizers after white supremacist violence -- and other publications and links flagged by U.N. initiative Tech Against Terrorism. It will use lists from intelligence-sharing group Five Eyes, adding URLs and PDFs from more groups, including the Proud Boys, the Three Percenters and neo-Nazis. The firms, which include Twitter and Alphabet 's YouTube, share "hashes," unique numerical representations of original pieces of content that have been removed from their services. Other platforms use these to identify the same content on their own sites in order to review or remove it.

Search Atlas makes it easy to see how Google offers different responses to the same query on versions of its search engine offered in different parts of the world. From a report: The research project reveals how Google's service can reflect or amplify cultural differences or government preferences -- such as whether Beijing's Tiananmen Square should be seen first as a sunny tourist attraction or the site of a lethal military crackdown on protesters. Divergent results like that show how the idea of search engines as neutral is a myth, says Rodrigo Ochigame, a PhD student in science, technology, and society at MIT and cocreator of Search Atlas. "Any attempt to quantify relevance necessarily encodes moral and political priorities," Ochigame says. Ochigame built Search Atlas with Katherine Ye, a computer science PhD student at Carnegie Mellon University and a research fellow at the nonprofit Center for Arts, Design, and Social Research.

Just like Google's homepage, the main feature of Search Atlas is a blank box. But instead of returning a single column of results, the site displays three lists of links, from different geographic versions of Google Search selected from the more than 100 the company offers. Search Atlas automatically translates a query to the default languages of each localized edition using Google Translate. Ochigame and Ye say the design reveals "information borders" created by the way Google's search technology ranks web pages, presenting different slices of reality to people in different locations or using different languages.

In a new report released last week by The Stanford Internet Observatory, researchers analyzed a Jordanian disinformation network that pushed pro-monarchy and pro-military narratives on Facebook, Twitter, and TikTok. The campaign, which Facebook said in a separate report had links to the Jordanian military, also republished audio that had been secretly recorded on Clubhouse. Rest of World reports: Researchers said this is the first time they have identified a disinformation operation that relied on Clubhouse and TikTok, indicating that some states are taking advantage of newer platforms to spread propaganda. The Jordanian campaign cobbled together audio and screen recordings from Clubhouse into at least one video that was then shared on Facebook. According to the report, the audio was taken from a conversation in which Jordanians outside the country and other Arab voices discussed Prince Hamzah, the half-brother of Jordan's leader, King Abdullah II, who was taken into custody in early April, along with over a dozen other prominent figures. Jordanian authorities accused Hamzah of plotting to destabilize the government, and while the prince later publicly pledged his loyalty to the king, he currently remains on house arrest.

People who saw the video "didn't know that it was linked to individuals in the Jordanian military," said Shelby Grossman, a research scholar at the Internet Observatory and a co-author of the report. "But at the same time, you could imagine that if someone watched this video, they might think to themselves, "Oh, people are listening when you have these Clubhouse conversations.'" While Clubhouse has not been officially banned by the Jordanian government, the nonprofit Jordan Open Source Association found that the app can currently only be accessed using a VPN. Recording is against Clubhouse's Terms of Service, which prohibits users from capturing "any portion of a conversation without the expressed consent of all of the speakers involved."

The most extensive portion of the Jordanian disinformation network was on Facebook. The social network said in its report that it had removed over 100 Facebook and Instagram accounts, three groups, and 35 pages connected to the campaign, four of which had more than 80,000 followers. The effort also included around $26,000 worth of Facebook ads, but it's unclear exactly whom they may have targeted. A spokesperson for Facebook said that the company's Ad Library transparency tool doesn't currently include data on ads that were run previously in Jordan. The reports says that the researchers "also identified a handful of sock puppet accounts on TikTok that appeared to have ties to the same network." They didn't put a lot of effort into it though. "[T]he fake personalities didn't post original content, instead sharing videos from established accounts associated with the Jordanian military."

The US Department of Commerce has sanctioned 14 Chinese tech companies over links to human rights abuses against Uyghur Muslims in Xinjiang, including one backed by a top Silicon Valley investment firm. From a report: DeepGlint, also known as Beijing Geling Shentong Information Technology Co., Ltd., is a facial recognition company with deep ties to Chinese police surveillance, and funding from US-based Sequoia Capital. Today the Commerce Department added it to its Entity List, which restricts US companies from doing business with listed firms without a special license. Sequoia did not immediately respond to a request for comment. DeepGlint co-founded a facial recognition lab in 2018 with Chinese authorities in Urumqi, the capital of Xinjiang, according to the South China Morning Post. It has also gained international bragging rights through the US National Institute of Standards and Technology's (NIST) Face Recognition Vendor Test. DeepGlint claimed top accuracy in the test as of January 2021, giving it a potent marketing tool in the security and surveillance industry. While DeepGlint has been accepted for a public offering on Shanghai's STAR stock exchange, the firm hasn't seen the commercial success of other AI startups in the country, explained Jeffrey Ding in his ChinAI newsletter last month. Since the firm is so heavily invested in government work, it has to follow slow government procurement cycles and is unlikely to score huge infrastructure projects, Ding writes.

An anonymous reader shares a report: If you receive emails flagged as spam or see a warning that a message might be a phishing attempt, it's a sign that your email provider is scanning your emails. The company may do that just to protect you from danger, but in some situations it can delve into your communications for other purposes, as well. Google announced that it would stop scanning Gmail users' email messages for ad targeting in 2017 -- but that doesn't mean it stopped scanning them altogether. Verizon didn't respond to requests for comments about Yahoo and AOL's current practices, but in 2018 the Wall Street Journal reported that both email providers were scanning emails for advertising. And Microsoft scans its Outlook users' emails for malicious content. Here's what major email providers say about why they currently scan users' messages.

Email providers can scan for spam and malicious links and attachments, often looking for patterns. [...] You may see lots of ads in your email inbox, but that doesn't necessarily mean your email provider is using the content of your messages to target you with marketing messages. For instance, like Google, Microsoft says that it refrains from using your email content for ad targeting. But it does target ads to consumers in Outlook, along with MSN, and other websites and apps. The data to do that come from partnering with third-party providers, plus your browsing activity and search history on Bing and Microsoft Edge, as well as information you've given the company, such as your gender, country, and date of birth.

[...] If you're using an email account provided by your employer, an administrator with qualifying credentials can typically access all your incoming and outgoing emails on that account, as well as any documents you create using your work account or that you receive in your work account. This allows companies to review emails as part of internal investigations and access their materials after an employee leaves the company. [...] Law enforcement can request access to emails, though warrants, court orders, or subpoenas may be required. Email providers may reject requests that don't satisfy applicable laws, and may narrow requests that ask for too much information. They may also object to producing information altogether.

ABC News reports: A highly anticipated UFO report prepared by the U.S. intelligence community is expected to be presented to congressional committees on Friday, according to a U.S. official, but officials have told ABC News the report will not provide definitive explanations for the dozens of encounters reported by the U.S. military with unidentified aerial phenomena, or UAPs. And in a development certain to disappoint UFO enthusiasts who have hoped that the report may have found links to alien spacecraft, the report has not found any evidence to suggest any links to such theories, according to three officials. The report prepared by the Director of National Intelligence (DNI) was required by the Intelligence Authorization Act passed by Congress late last year. The U.S. intelligence community was given 180 days to prepare an unclassified and classified report on what the U.S. government knew about UAP's.

In a blog post today, Google announced a series of new security enhancements that will make many publicly accessible Google Drive links no longer accessible. The enhancements are being brought to Google Drive on September 23rd, 2021. XDA Developers reports: Once this change goes live, Google says that users will need a "resource key" to access a publicly shared link. However, users won't need an updated link with said resource key appended if they've already accessed that file before in the past. As a result of this change, we can imagine that lots of Google Drive links shared online on forums and other sites will no longer work as their owners neglect to update them, leaving them only accessible to the people that have already clicked the links before.

According to the post made on the Google Workspace blog, this won't affect all files. Users who have shared a file that is affected by this change will get an email from Google informing them of this change and how to opt out of needing those files from being updated. These emails will be sent out to users starting on July 26th. Google shared a copy of a sample email to show end-users what the message they'll get will look like. The company doesn't recommend opting out all files and says that only the files that you want publicly accessible should be opted out. Users have until September 13th to decide if they want the update applied, so if you have no files that are publicly accessible, then you won't need to do anything. YouTube is also making similar changes. "Starting on July 23, Unlisted videos uploaded before the January 1, 2017, system change will be automatically made private," reports 9to5Google. "That said, YouTube creators can decide to opt out of this change. Filling out this form will let you 'keep your Unlisted videos uploaded before 2017 in their current Unlisted state.' Other options include making Unlisted pre-2017 videos public or re-uploading as a new Unlisted video at the expense of stats."

Tim Berners-Lee has defended his decision to auction an NFT (non-fungible token) representing the source code to the web, comparing the sale to an autographed book or a speaking tour. From a report: The creator of the world wide web announced his decision to create and sell the digital asset through Sotheby's auction house last week. In the auction, which begins on Wednesday and will run for one week, collectors will have the chance to bid on a bundle of items, including the 10,000 lines of the source code to the original web browser, a digital poster created by Berners-Lee representing the code, a letter from him, and an animated video showing the code being entered.

"This is totally aligned with the values of the web," Berners-Lee told the Guardian. "The questions I've got, they said: 'Oh, that doesn't sound like the free and open web.' Well, wait a minute, the web is just as free and just as open as it always was. The core codes and protocols on the web are royalty free, just as they always have been. I'm not selling the web -- you won't have to start paying money to follow links. "I'm not even selling the source code. I'm selling a picture that I made, with a Python programme that I wrote myself, of what the source code would look like if it was stuck on the wall and signed by me. "If they felt that me selling an NFT of a poster is inappropriate, then what about me selling a book? I do things like that, which involve money, but the free and open web is still free and open. And we do still, every now and again, have to fight to keep it free and open, fight for net neutrality and so on."

An anonymous reader quotes a report from BleepingComputing: The Ragnar Locker ransomware gang have published download links for more than 700GB of archived data stolen from Taiwanese memory and storage chip maker ADATA. A set of 13 archives, allegedly containing sensitive ADATA files, have been publicly available at a cloud-based storage service, at least for some time. [...] Two of the leaked archives are quite large, weighing over 100GB, but several of them that could have been easily downloaded are less than 1.1GB large. Per the file metadata published by the threat actor, the largest archive is close to 300GB and its name gives no clue about what it might contain. Another large one is 117GB in size and its name is just as nondescript as in the case of the first one (Archive#2). Judging by the names of the archives, Ragnar Locker likely stole from ADATA documents containing financial information, non-disclosure agreements, among other type of details.

The ransomware attack on ADATA happened on May 23rd, 2021, forcing them to take systems offline, the company told BleepingComputer. As the Ragnar Locker leak clearly shows, ADATA did not pay the ransom and restored the affected systems on its own. The ransomware actor claims stealing 1.5TB of sensitive files before deploying the encryption routine, saying that they took their time in the process because of the poor network defenses. The recently leaked batch of archives is the second one that Ragnar Locker ransomware publishes for ADATA. The previous one was posted earlier this month and includes four small 7-zip archives (less than 250MB together) that can still be downloaded.

Facebook's Clubhouse competitor, Live Audio Rooms, is making its way stateside. From a report: The company announced today that some US-based public figures, as well as certain groups, can start hosting rooms through the main Facebook iOS app. (People can join, however, from both iOS and Android.) Anyone can be invited up as a speaker with up to 50 people able to speak at once. There's no cap on the number of listeners allowed in -- a major shot at Clubhouse, which imposes room size limitations. It's also introducing other nifty features, like notifications when your friends or followers join a room, as well as live captions. There will be a "raise a hand" button to request to join the conversation, and reactions will be available to to interact throughout the chat. Twitter Spaces, Twitter's live audio feature, includes captions, but Clubhouse still does not.

Within groups, admins can control who's allowed to create a room: moderators, group members, or other admins. Public group chats will be accessible both in and outside the group, but private group chats will be restricted to members. Additionally, hosts can also select a nonprofit or fundraiser to support during their conversation with a button to directly donate showing up on the chat. Again, this feels like a feature directly built to address a key Clubhouse use case and make it frictionless. (Many Clubhouse creators have hosted fundraisers on the app but have to direct people to outside links in order to facilitate donations.)

"Everything from Visual Studio Code to Microsoft Edge and Teams package links were affected," reports Windows Central. They note Azure's status page (which now shows the issue lasting for more than 22 hours), though however long it lasted, "it's a virtual eternity for those whose entire ecosystem is crippled by such an outage."

According to Ars Technica, starting on Wednesday, "packages.microsoft.com — the repository from which Microsoft serves software installers for Linux distributions including CentOS, Debian, Fedora, OpenSUSE, and more — went down hard..." The outage impacted users trying to install .NET Core, Microsoft Teams, Microsoft SQL Server for Linux (yes, that's a thing) and more — as well as Azure's own devops pipelines.

We first became aware of the problem Wednesday evening when we saw 404 errors in the output of apt update on an Ubuntu workstation with Microsoft Teams installed. The outage is somewhat better-documented at this .NET Core issue report on Github, with many users from all around the world sharing their experiences and theories...

The entire repository cluster that serves all Linux packages for Microsoft was completely down — issuing a range of HTTP 404 (content not found) and 500 (Internal Server Error) messages for any URL — for roughly 18 hours. Microsoft engineer Rahul Bhandari confirmed the outage roughly five hours after it was initially reported, with a cryptic comment about the infrastructure team "running into some space issues."

Eighteen hours after the issue was detailed, Bhandari said that the mirrors were once again available — although with temporarily degraded performance, likely due to cold caches.

A month ago, Amazon-first gadget brands Aukey and Mpow suddenly and mysteriously disappeared from the giant online retailer's storefront, with almost all their electronics vanishing from Amazon's shelves. Today, popular battery and charger brand RavPower has completely disappeared as well. From a report: All of the company's product listings have disappeared, leaving blank white spaces in RavPower's Amazon storefront. Searches for "RavPower" don't bring up any listings for products made by the company. Existing links to RavPower products either point to Amazon's "Sorry, we couldn't find that page" cute 404 dogs, or listings that read "Currently unavailable." By and large, this is exactly what happened to Aukey, Mpow, and other lesser-known electronics retailers last month -- except here, whoever did this has been a bit more thorough.

Russia's government was quick to use social media when it tried to steer the course of U.S. elections, American officials say. It isn't quite as eager to see its own opponents at home try the same thing. From a report: Ahead of a parliamentary vote later this year, the Kremlin has been fine-tuning its strategy to pressure platforms such as Twitter, YouTube and TikTok to remove antigovernment content, classifying a growing number of posts as illegal and issuing a flurry of takedown requests. So far it appears to be working. The Western-dominated tech giants have in many instances complied. YouTube temporarily removed links to content laying out the opposition's voting strategy. Russian officials say Twitter is working to comply with requests to remove content that Moscow deems illegal. TikTok, owned by China's ByteDance, also removed or altered a handful of videos that criticized the government and promoted opposition street protests. TikTok, Twitter and Google, the Alphabet subsidiary that owns YouTube, say they decide whether to delete content based on local laws where they operate and on their own internal guidelines. None of the companies commented on specific cases mentioned in this article.

From today's edition of Mike Melanson's "This Week in Programming" column: If you've been using open source software for any amount of time, then you're well aware of the tangled web of dependencies often involved in such projects. If not, there's any number of tools out there that explore just how interconnected everything is, and this week Google has jumped into the game with its own offering — an exploratory visualization site called Open Source Insights that gives users an interactive view of dependencies of open source projects.

Now, Google isn't the first to get into the game of trying to uncover and perhaps untangle the dizzying dependency graph of the open source world, but the company argues that it is more so trying to lay everything out in a way that developers can see, visually, just how, well, hopelessly screwed they really are.

"There are tools to help, of course: vulnerability scanners and dependency audits that can help identify when a package is exposed to a vulnerability. But it can still be difficult to visualize the big picture, to understand what you depend on, and what that implies," they write.

The Open Source Insights tool — currently "experimental" — gives users either a table or graphical visualization of how a project is composed, allowing them to explore the dependency graph and examine how using different versions of certain projects might actually affect that dependency graph. One of the benefits, Google notes, is that it allows users to see all this information "without asking you to install the package first. You can see instantly what installing a package — or an updated version — might mean for your project, how popular it is, find links to source code and other information, and then decide whether it should be installed."

Currently, the tool supports npm, Maven, Go modules, and Cargo, with more packaging systems on the way soon...

Matt Stoller, looking at this month's antitrust suit against Amazon filed by D.C. attorney general Karl Racine: To understand why, we have to start with the idea of free shipping. Free shipping is the God of online retail, so powerful that France actually banned the practice to protect its retail outlets. Free shipping is also the backbone of Prime. Amazon founder Jeff Bezos knew that the number one pain point for online buyers is shipping -- one third of shoppers abandon their carts when they see shipping charges. Bezos helped invent Prime for this reason, saying the point of Prime was to use free shipping "to draw a moat around our best customers." The goal was to get people used to buying from Amazon, knowing they wouldn't have to worry about shipping charges. Once Amazon had control of a large chunk of online retail customers, it could then begin dictating terms of sellers who needed to reach them.

This became clear as you read Racine's complaint. One of the most important sentences in the AG's argument is a quote from Bezos in 2015 where he alludes to this point. In discussing the firm's logistics service that is the bedrock of its free shipping promise, Fulfillment by Amazon (FBA), he said, "FBA is so important because it is glue that inextricably links Marketplace and Prime. Thanks to FBA, Marketplace and Prime are no longer two things. Their economics ... are now happily and deeply intertwined." Amazon wants people to see Prime, FBA, and Marketplace as one integrated mega-product, what Bezos likes to call "a flywheel," to disguise the actual monopolization at work. (Indeed, any time you hear the word "flywheel" relating to Amazon, replace it with "monopoly" and the sentence will make sense.)

Last Sunday Belarus "forcibly landed a Ryanair plane flying from Athens to Vilnius and arrested the opposition blogger Roman Protasevich and his girlfriend, who were on board," Reuters reports.

By Tuesday the Guardian reports there was a "confession" video which the blogger's father said his son had clearly been physically coerced into recording.

And then... YouTube ran advertisements featuring confession videos published by Belarusian authorities of detained journalist and activist Roman Protasevich and his girlfriend Sofia Sapega, according to a number of people on social media...

The YouTube advertisements appear to have been purchased by a pro-government channel with less than 2,000 subscribers with a name which translates to "Belarus, country for life." The channel has published a number of viral videos about Belarus and its logo features the Belarusian presidential flag... Screenshots posted online suggest the ads displayed Protasevich's confession video to viewers and directed them to a pro-government Telegram channel with almost 80,000 subscribers. At least one person on Twitter also reported seeing another ad from the same channel featuring Sapega's confession tape.

A spokesperson for Google, which owns YouTube, said the company had identified both of the ads and took action against them according to its inappropriate content policy. "YouTube has always had strict policies around the type of content that is allowed to serve as ads on our platform," the spokesperson said in an email. "We quickly remove any ads that violate these policies." YouTube generally allows advertisers to run political ads, but its rules around inappropriate content prohibit those that "single out someone for abuse or harassment; content that suggests a tragic event did not happen, or that victims or their families are actors, or complicit in a cover-up of the event."

The advertisements raise questions about YouTube's ability to effectively moderate how its platform may be used to amplify questionable content in ads...

Tadeusz Giczan, editor-in-chief of NEXTA, the independent media organization Protasevich previously worked for, said on Twitter that Belarus officials have long used YouTube advertisements to spread propaganda. "Fun fact: for almost a year Belarusian state news agency BelTA has been using hostage videos like the one with Roman Protasevich as paid ads on YouTube with links to their network of pro-govt telegram channels," he wrote. "We tried everything but YouTube says there's nothing wrong about it." Last year, several people complained online about YouTube advertisements promoting Belarusian government propaganda seemingly from the same channel.

YouTube did not immediately answer follow-up questions about whether it had previously taken action against the "Belarus, country for life" account.

GameStop has quietly unveiled a new web portal for a non-fungible token (NFT) platform. The Block reports: "We are building a team" the page declares, stating: "We welcome exceptional engineers (solidity, react, python), designers, gamers, marketers, and community leaders. If you want to join our team, send your profile or something you've built to: nfteam@gamestop.com."

The exact scope of the project is unclear, though prominently featured on the page is a link to an Ethereum address, indicating that GameStop's team will use Ethereum as a technology base. The smart contract code declares "Game On Anon" and links to GameStop's NFT page and indicates that potential GameStop-released NFTs will utilize Ethereum's ERC721 standard. The code also points to a dedicated token, GME.

"The official Python software package repository, PyPI, is getting flooded with spam packages..." Bleeping Computer reported Thursday.

"Each of these packages is posted by a unique pseudonymous maintainer account, making it challenging for PyPI to remove the packages and spam accounts all at once..." PyPI is being flooded with spam packages named after popular movies in a style commonly associated with torrent or "warez" sites that provide pirated downloads: watch-(movie-name)-2021-full-online-movie-free-hd-... Although some of these packages are a few weeks old, BleepingComputer observed that spammers are continuing to add newer packages to PyPI... The web page for these bogus packages contain spam keywords and links to movie streaming sites, albeit of questionable legitimacy and legality...

February of this year, PyPI had been flooded with bogus "Discord", "Google", and "Roblox" keygens in a massive spam attack, as reported by ZDNet. At the time, Ewa Jodlowska, Executive Director of the Python Software Foundation had told ZDNet that the PyPI admins were working on addressing the spam attack, however, by the nature of pypi.org, anyone could publish to the repository, and such occurrences were common.

Other than containing spam keywords and links to quasi-video streaming sites, these packages contain files with functional code and author information lifted from legitimate PyPI packages... As previously reported by BleepingComputer, malicious actors have combined code from legitimate packages with otherwise bogus or malicious packages to mask their footsteps, and make the detection of these packages a tad more challenging...

In recent months, the attacks on open-source ecosystems like npm, RubyGems, and PyPI have escalated. Threat actors have been caught flooding software repositories with malware, malicious dependency confusion copycats, or simply vigilante packages to spread their message. As such, securing these repositories has turned into a whack-a-mole race between threat actors and repository maintainers.