[Distutils] Malicious packages on PyPI

Thomas Kluyver thomas at kluyver.me.uk
Thu Jun 1 13:18:48 EDT 2017

Are we aware of this?

I recall there were a couple of these before which were taken down, but
someone appears to have made a cookiecutter template so you can very
easily claim names on PyPI, and anyone who installs that package will
submit their information to that site. A couple that are up at the


Do we delete them? Do we try to detect similar packages being uploaded
and block them? I suspect it's a waste of time to try to prevent this in
general, but maybe it's worth protecting likely names that people might
'pip install' by mistake, such as requirements-txt.


More information about the Distutils-SIG mailing list