[New-bugs-announce] [issue43796] "install" package on PyPI

Jared Ondricek report at bugs.python.org
Fri Apr 9 12:50:34 EDT 2021

New submission from Jared Ondricek <flamableconcrete at gmail.com>:

I recently accidentally typed "pip install pip install <package-i-really wanted>" and it installed a package called "install" that has 1 star on GitHub. It is also in use by 2.3k repositories according to the GitHub dependency graph view. I don't think it's malicious, but it does seem a bit sketchy. I just know this sort of thing has been in the news lately, and maybe this is that sort of thing that ought to be looked at by someone smarter than me about security stuff.

The way Perl deals with this specific issue is by using a specific dummy module so no one can do this on accident.

Is this worth the time to discuss? Or am I just being paranoid about a third party library called install?

PyPI entry: https://pypi.org/project/install/
GitHub page: https://github.com/eugenekolo/pip-install
GitHub projects that depend on it: https://github.com/eugenekolo/pip-install/network/dependents?package_id=UGFja2FnZS0xMjU0NTI3MDI5
Perl dummy install module: https://metacpan.org/pod/install

messages: 390647
nosy: flamableconcrete
priority: normal
severity: normal
status: open
title: "install" package on PyPI
type: security

Python tracker <report at bugs.python.org>

More information about the New-bugs-announce mailing list