All sufficiently big public package registries are a mess full of malware, name squatting, and drama: crates.io has a single user owning names like “any”, “bash”, and “class”. npmjs.com had a drama with left-pad when a single maintainer of a single one-liner package broke the internet. pypi.org appears in tech news monthly with another group of researchers discovering another malware campaign. Today PyPI malware made news yet again, so I decided to take a look at the other side of...
