PyPI mirror proxy that injects code and bypasses pip hash verification

InfluxDB – Built for High-Performance Time Series Workloads

InfluxDB 3 OSS is now GA. Transform, enrich, and act on time series data directly in the database. Automate critical tasks and eliminate the need to move data externally. Download now.

www.influxdata.com

featured

Stream - Scalable APIs for Chat, Feeds, Moderation, & Video.

Stream helps developers build engaging apps that scale to millions with performant and flexible Chat, Feeds, Moderation, and Video APIs and SDKs powered by a global edge network and enterprise-grade infrastructure.

getstream.io

featured

badpie

1 1 18 3.3 Python
InfluxDB

www.influxdata.com featured

InfluxDB – Built for High-Performance Time Series Workloads. InfluxDB 3 OSS is now GA. Transform, enrich, and act on time series data directly in the database. Automate critical tasks and eliminate the need to move data externally. Download now.
pip

2 127 10,040 9.8 Python

The Python package installer

Yes, if you control the index, you can lie to pip about what the package's hash should be. This is why you have to opt in to using a different index, and why the connection to PyPI has been properly secured since forever (https://github.com/pypa/pip/issues/425 ; note the date).
The clearly AI-generated README is also confused about how this works. It claims:
> Intercepts package index requests and rewrites URLs to point to the malicious mirror
but it's actually implementing a malicious mirror by forwarding requests to PyPI and then serving a modified version of the PyPI result. "Preserves and updates SHA256 hashes for modified packages" is also an incoherent description; preserving something and modifying it are mutually incompatible.

NOTE: The number of mentions on this list indicates mentions on common posts plus user suggested alternatives. Hence, a higher number means a more popular project.

Suggest a related project

Uv is the best thing to happen to the Python ecosystem in a decade

10 projects | news.ycombinator.com | 29 Oct 2025
Python: The Documentary

2 projects | news.ycombinator.com | 29 Aug 2025
Python UV: The Fastest Python Package Manager

3 projects | dev.to | 27 Jun 2025
Venvstacks: Virtual Environment Stacks for Python

2 projects | news.ycombinator.com | 3 Nov 2024
Things I've learned serving on the board of the Python Software Foundation

2 projects | news.ycombinator.com | 24 Sep 2024

PyPI mirror proxy that injects code and bypasses pip hash verification

This page summarizes the projects mentioned and recommended in the original post on news.ycombinator.com
hardware-buttons linkedin-bot template-engine-js
Post date: 14 Sep 2025

badpie

InfluxDB

pip

Related posts

Uv is the best thing to happen to the Python ecosystem in a decade

Python: The Documentary

Python UV: The Fastest Python Package Manager

Venvstacks: Virtual Environment Stacks for Python

Things I've learned serving on the board of the Python Software Foundation

Did you know that Python is
the 2nd most popular programming language
based on number of references?

PyPI mirror proxy that injects code and bypasses pip hash verification

This page summarizes the projects mentioned and recommended in the original post on news.ycombinator.com hardware-buttons linkedin-bot template-engine-js Post date: 14 Sep 2025

badpie

InfluxDB

pip

Related posts

Uv is the best thing to happen to the Python ecosystem in a decade

Python: The Documentary

Python UV: The Fastest Python Package Manager

Venvstacks: Virtual Environment Stacks for Python

Things I've learned serving on the board of the Python Software Foundation

Did you know that Python is the 2nd most popular programming language based on number of references?

This page summarizes the projects mentioned and recommended in the original post on news.ycombinator.com
hardware-buttons linkedin-bot template-engine-js
Post date: 14 Sep 2025

Did you know that Python is
the 2nd most popular programming language
based on number of references?