Build script exposes PyPI to domain takeover attacks

Description

ReversingLabs researchers discovered vulnerable code in legacy Python packages that could enable an attack on the Python Package Index (PyPI) via a domain compromise. The vulnerability lies in bootstrap files for a build tool that installs the Python package 'distribute' and performs other tasks. When executed, the bootstrap script fetches and executes an installation script from python-distribute.org, a domain now available for sale. Affected packages include tornado, pypiserver, slapos.core, and others. The issue stems from the complex history of Python packaging tools and the failure to formally decommission the 'distribute' module. This vulnerability highlights the risks of relying on hard-coded domains and the importance of addressing code rot in open-source projects.