All sufficiently big public package registries are a mess full of malware, name squatting, and drama:
crates.io has a single user owning names like “any”, “bash”, and “class”. npmjs.com had a drama with left-pad when a single maintainer of a single one-liner package broke the internet. pypi.org appears in tech news monthly with another group of researchers discovering another malware campaign. Today PyPI malware made news yet again, so I decided to take a look at the other side of PyPI: name squatting and some other interesting stats along the way.
Interesting article. I would have preferred to see more discussion of the great harm squatting can do to the public. It’s not just about taking up space in a database, malicious actors can hold a name with a malicious version of the software and just wait for victims to show up and pull it. (This is one obvious reason why companies squat names preemptively.)
I believe Python erred in having a flat namespace instead of using domain names you can secure and validate with DNS or something. Too late now, though.