Search papers, labs, and topics across Lattice.
This study conducts a comprehensive analysis of package replication on PyPI, revealing that a significant number of packages duplicate code from existing ones, which can lead to confusion among developers and the propagation of vulnerabilities. By examining one-third of the PyPI repository, the authors identify 1,361 replicated packages from popular projects, 256 previously unknown vulnerable packages, and 186 replicated malicious packages, underscoring the risks associated with package replication. The findings highlight the need for improved detection mechanisms to address the security threats posed by these replicated packages.
Over 1,300 replicated packages on PyPI not only confuse developers but also create vulnerability blind spots and serve as vectors for malware distribution.
In this study, we present a large-scale, in-depth study of package replication in PyPI. As a vital platform, PyPI streamlines Python package distribution for developers. However, beyond small-scale code cloning, we observe that many replicated packages exist on PyPI, which duplicate most of the codebase from existing packages. Such replication not only confuses developers but also propagates known vulnerabilities and enables the creation of new malicious packages. To address this issue, we comprehensively examine the characteristics and potential threats of replicated packages. Using one-third of the entire PyPI repository (200K packages), we investigate replication from three perspectives: replication of popular packages, vulnerable packages, and malicious packages. Our experiments reveal three critical findings about package replication in PyPI: (1) by identifying 1,361 replicated packages of the top 3K popular projects, we show that replication frequently redistributes substantial portions of existing packages under different maintainers; (2) by uncovering 256 previously unknown replicated vulnerable packages, we demonstrate that replication creates vulnerability blind spots that current detection tools rarely catch; (3) by analyzing 3,883 known malicious packages, we found that 186 (4.79%) replicated popular ones, and this pattern further led us to identify seven previously unknown replicated malicious packages, highlighting its role as an attack vector for malware distribution through minor modifications and code injection.