Unclaimed Package Question

I have a question, yesterday i found a unclaimed pip package, i claim it and install a script for test, but today i found that its been taken? not found in my account?
Why is that?

Unless you provide us with the actual name of the package in question, we can only wildly guess. However if it just contained a test script with no real functionality, its possible that it was removed for name squatting, which is not allowed per PEP 541:

A project published on the Package Index meeting ANY of the following is considered invalid and will be removed from the Index:

  • project is name squatting (package has no functionality or is empty);

Package name was scavenger-py
It was not empty but a script to test ping

Not sure, but a trivial test script to, as you say, “claim” the name could still easily be considered squatting, per the above-quoted definition—it doesn’t have to completely empty. It’s also a little close to the name of the existing package scavenger, but I believe the typosquatting detector would have flagged it immediately on upload, rather than some time after.

Beyond that, not sure but perhaps one of the PyPI admins or someone else more specifically knowledgeable, will come along and explain. You could also try re-uploading with at least a prototype of the actual content you indent your package to have, and if it still doesn’t work, you could consider submitting a support request (though it can be very backlogged), or just choose a different name for your package.

I tried reuploading got this error The name ‘scavenger-py’ isn’t allowed.

Then, as previously mentioned, I would guess that’s the typosquatting detector triggering due to the possible confusing with the existing scavenger package. Just in case its not, you could submit a support request issue, but you’re probably better off just picking a more unique package name and uploading once you have meaningful functional content in your package that actually serves the purpose that you intend your actual package to.

actually i am a security researcher, finding dependency issues for them, thats why i needed that package name

Then the system worked as intended, and the name presumably will not be unblocked. See, e.g. this previous thread for an example of similar activity.

Packages that do little more than ping home are against PyPI’s TOS, and so are removed and blocked pretty quickly. Repeated attempts will get entire accounts blocked.

PyPI is not a test platform for security researchers - you can use your own private index to demonstrate these kinds of attacks.