The package name visqol on PyPI has been claimed by a malicious squatting package:
https://pypi.org/project/visqol/
The package (visqol 0.1.0) has no relation to this project. It was published by an author using the alias sectest (sectest@example.com) and contains no legitimate functionality. Key concerns:
- Name squatting: Blocks any future official PyPI release of ViSQOL under its canonical name.
- Namespace poisoning: Despite being named
visqol, the package installs a pyav module that shadows the legitimate PyAV library.
- Payload staging: The sole code file contains an unused
import os and a debug print statement, consistent with a placeholder for future malicious updates.
- All metadata is boilerplate: Description is
"Your package description", homepage points to https://github.com/yourusername/ipablepytorch3, and the README contains only sec-test.
A PyPI abuse report should be filed (or may already be in progress) to have the package removed. If your team intends to publish ViSQOL to PyPI in the future, it would be worth coordinating with PyPI to reclaim the name.
The package name
visqolon PyPI has been claimed by a malicious squatting package:https://pypi.org/project/visqol/
The package (
visqol0.1.0) has no relation to this project. It was published by an author using the aliassectest(sectest@example.com) and contains no legitimate functionality. Key concerns:visqol, the package installs apyavmodule that shadows the legitimate PyAV library.import osand a debug print statement, consistent with a placeholder for future malicious updates."Your package description", homepage points tohttps://github.com/yourusername/ipablepytorch3, and the README contains onlysec-test.A PyPI abuse report should be filed (or may already be in progress) to have the package removed. If your team intends to publish ViSQOL to PyPI in the future, it would be worth coordinating with PyPI to reclaim the name.