millshre
May 23, 2023, 2:08pm
1
Hi. This might all ready exist, but is there a list of previously submitted malicious packages? We track installed packages, and it would be of interest to be able to compare our list to malicious packages that have made it into production so that we could address them and remove them.
Welcome to the Python Discourse! Just FYI, don’t forget to search for previous threads, and make sure your post is in the right category
This has been requested before, e.g.
Hi everyone,
I would like to ask if there are any plans to make the list of denied packages on PyPI available to the community. If no, is this something to consider?
Thanks in advance,
Fridolin
There is an open issue to do this…
opened 03:42PM - 12 Sep 18 UTC
feature request
needs discussion
APIs/feeds
**What's the problem this feature will solve?**
Users who may have possibly ins… talled malicious packages don't have insight into what packages have been taken down by PyPI administrators.
**Describe the solution you'd like**
PyPI should publish both a human-readable and machine-readable (API) list of malicious packages that have been taken down. Ideally the human-readable list would be sortable by package name, or by the date it was created/taken down.
**Additional context**
Feature request to automatically uninstall packages via this API in `pip`: https://github.com/pypa/pip/issues/5777
Which then evolved into this proposed approach for handling it:
opened 09:17PM - 04 Dec 21 UTC
Following from some [discussion](https://github.com/pypa/warehouse/issues/4703#i… ssuecomment-985270450) in https://github.com/pypa/warehouse/issues/4703, do we think that packages removed from PyPI due to being classified as malware, etc should cause advisories to be generated here?
1 Like
