pip / PyPI
Python package installer abuse techniques
critical
Code Execution
setuptools cmdclass Command Override
The setuptools cmdclass parameter allows package authors to override built-in setup commands such as install, develop, egg_info, build_ext, …
Linux
macOS
Windows
high
Dependency Confusion
Dependency Confusion Attack
Dependency confusion exploits pip's default package resolution behavior, where it searches the public PyPI index alongside or before …
Linux
macOS
Windows
medium
Configuration Abuse
requirements.txt Index Manipulation
pip's requirements.txt file format supports global options including --index-url, --extra-index-url, --find-links, and --trusted-host …
Linux
macOS
Windows
critical
Code Execution
setup.py Arbitrary Code Execution
When a package is installed via `pip install`, pip executes the package's setup.py file using the installing user's privileges. This allows …
Linux
macOS
Windows
high
Typosquatting
PyPI Package Typosquatting
Typosquatting on PyPI involves registering package names that are deliberate misspellings, character transpositions, or plausible variations …
Linux
macOS
Windows