Here's a story about how malicious pypi packages help break into corporate networks.
It is not necessarily the goal this particular person was aiming for. Just a side note.
"Dependency Confusion: How I Hacked Into Apple, Microsoft and Dozens of Other Companies"

Best regards,

On Sun, Jan 30, 2022 at 6:48 PM Ralf Gommers <> wrote:

On Mon, Jun 14, 2021 at 3:22 AM Charles R Harris <> wrote:

On Sun, Jun 13, 2021 at 10:47 AM Ralf Gommers <> wrote:
Hi all,

FYI, I noticed this package that claimed to be maintained by us: That's not ours, so I tried to contact the author (no email provided, but guessed the same username on GitHub) and asked to remove it:

There are a very large number of packages with "numpy" in the name on PyPI, and there's no way we can audit/police that effectively, but if it's a rebuild that pretends like it's official then I think it's worth doing something about. It could contain malicious code for all we know.

That is a pretty misleading package description, would have fooled me if I didn't know better. I didn't get the impression it was malicious, but still . .

Hard to know whether it was malicious or not.

I finally filed a PyPI issue to hand over the package to me so I can delete the wheel and replace the README:


NumPy-Discussion mailing list --
To unsubscribe send an email to
Member address: