[Python-Dev] SK-CSIRT identified malicious software libraries in the official Python package repository, PyPI

Victor Stinner victor.stinner at gmail.com
Fri Sep 15 17:16:34 EDT 2017

An idea for typo squatting would be to compute the Levenshtein
distance with package names of standard library and top 100 most
popular PyPI packages, and require to contact a moderation team if the
name is too close to an existing package. The moderation team will
review the email, but also watch the package during 1 month to check
if everything seems fine.

It requires to have a list of all package names of the standard
library, and maintain an up to date list of popular PyPI package

It also requires to set up a mailing list, and tooling to report the
error message to users, and then give moderators the right to create
the package. I'm not sure that it's easy to implement it.


More information about the Python-Dev mailing list