PyPI package publication rates have surged 30% since 2025, largely driven by AI-generated (vibe-coded) packages. Many of these packages misuse eval, exec, and subprocess in ways that mimic malicious code patterns, creating false positives for security tools monitoring the ecosystem. The author, who maintains a malicious package detection library called hexora, highlights the strain this places on PyPI maintainers — a non-profit relying on donations — as storage and download volumes grow. Additionally, some packages are published hundreds of times per day, which is flagged as abusive behavior that complicates supply chain security monitoring.
Sort: