alt Hacker NewsPyPI does exactly that, and it's been very effective. Security partners can scan packages and use the invite-only API to report them: https://blog.pypi.org/posts/2024-03-06-malware-reporting-evo...
Replies
charcircuit • today at 5:26 PM
It is not effective if it just takes a simple base64 encode to bypass. If Claude is trivially able to find that it is malicious then Pypi is being negligent.
➕ show 1 reply
cedws • today at 4:44 PM
Thanks, TIL.
PyPI is pretty best-in-class here and I think that they should be seen as the example for others to pursue.
The client side tooling needs work, but that's a major effort in and of itself.