python – I mistyped a `pip install` command. Could my system have been compromised?

Any time you run pip install, your machine could be compromised if the package is malicious.

Looking at the code in that package, it does indeed appear to be empty. However, the installed code would not run unless you ran it manually. The more likely location for auto-run malicious code is the setup.py packaging script that is run during install; however, nothing malicious appears there either, assuming I am looking at the exact same version.

I suppose it could have been possible for a sophisticated attack that ran malicious code in setup.py during the install that removes the malicious code so you can’t find it, and also reaches out to some remote server to update the version in PyPi as well. However, that seems like a very limited attack since it would probably only work once per package name, and the version history is available on PyPi. It’s more likely that you installed someone’s abandoned project.

It is good to be aware of what packages you are installing, especially since pip and other package managers have a history of actors using typosquatting to distribute malware.

If you want to avoid this issue in the future when working on your own packages, consider using pip install . from the top level directory of your project.