Skip to content

PyPI name "visqol" is squatted by a malicious package #144

New issue
New issue
Open
Open
PyPI name "visqol" is squatted by a malicious package#144
@sebastian8x8

Description

@sebastian8x8
sebastian8x8
opened on Mar 13, 2026

The package name visqol on PyPI has been claimed by a malicious squatting package:
https://pypi.org/project/visqol/

The package (visqol 0.1.0) has no relation to this project. It was published by an author using the alias sectest (sectest@example.com) and contains no legitimate functionality. Key concerns:

  • Name squatting: Blocks any future official PyPI release of ViSQOL under its canonical name.
  • Namespace poisoning: Despite being named visqol, the package installs a pyav module that shadows the legitimate PyAV library.
  • Payload staging: The sole code file contains an unused import os and a debug print statement, consistent with a placeholder for future malicious updates.
  • All metadata is boilerplate: Description is "Your package description", homepage points to https://github.com/yourusername/ipablepytorch3, and the README contains only sec-test.

A PyPI abuse report should be filed (or may already be in progress) to have the package removed. If your team intends to publish ViSQOL to PyPI in the future, it would be worth coordinating with PyPI to reclaim the name.

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions