[Distutils] Malicious packages on PyPI
thomas at kluyver.me.uk
Thu Jun 1 13:18:48 EDT 2017
Are we aware of this?
I recall there were a couple of these before which were taken down, but
someone appears to have made a cookiecutter template so you can very
easily claim names on PyPI, and anyone who installs that package will
submit their information to that site. A couple that are up at the
Do we delete them? Do we try to detect similar packages being uploaded
and block them? I suspect it's a waste of time to try to prevent this in
general, but maybe it's worth protecting likely names that people might
'pip install' by mistake, such as requirements-txt.
More information about the Distutils-SIG