Skip to main content

This package demonstrates what a malicious PyPI package could do to you :-)

Project description

Malicious package proof of concept

This package demonstrates what a malicious PyPI package could do to you :-)

What it does: It downloads a python file from a github gist and runs it. That python file creates a file in your /tmp. Nothing really malicious, but you get the point.

I created it mainly to test methods of installing python packages without the danger of running their setup.py. At the moment there seem to be none. Poetry manages to at least determine the dependencies of packages without running their setup.py files, but also uses pip internally when installing.

As a workaround, you can forbid the usage of source distribution packages by using the –only-binary :all: flag on your pip commands. Unfortunately, some packages do not have a binary distribution and you will be unable to install them with this flag.

Here are some more resources to read about the problem:

Project details


Download files

Download the file for your platform. If you're not sure which to choose, learn more about installing packages.

Files for i-am-malicious, version 1.0.5
Filename, size File type Python version Upload date Hashes
Filename, size i-am-malicious-1.0.5.tar.gz (2.3 kB) File type Source Python version None Upload date Hashes View

Supported by

Pingdom Pingdom Monitoring Google Google Object Storage and Download Analytics Sentry Sentry Error logging AWS AWS Cloud computing DataDog DataDog Monitoring Fastly Fastly CDN DigiCert DigiCert EV certificate StatusPage StatusPage Status page