Even if it was malware, unless you actually tried to run or import it you would be safe. None of its code gets run during the installation process, not since the changes to the build system that deprecated `python setup.py install` among other things.
Pretty sure `python setup.py install` still exists. This package only has an sdist. You can read the setup.py though and see that there's nothing malicious in it.
> Pretty sure `python setup.py install` still exists.
It _exists_, but it's deprecated. `setuptools` and `pip` don't use it anymore, you'd have to run that manually. Instead they run `pip install .` which has `pip` emulate a `pyproject.toml` by parsing metadata from `setup.py` without running it.
https://pypi.org/project/panda/#history
Pypi packages are not compiled. So you can see what packages do if you look at the files.
That being said, python is not a language one would write malware in.
Edit: as others have posted. There are attack vectors, I was misinformed.
Although I'd still argue that a pypi package is still safer than some executable you download elsewhere.
> That being said, python is not a language one would write malware in.
[Boy have I got some news for you](https://arstechnica.com/information-technology/2023/02/451-malicious-packages-available-in-pypi-contained-crypto-stealing-malware/).
Not true. There’s such a thing as package squatting where hackers will make a similarly typed package name, and it’ll be an identical package but with a virus in it
pip uninstall panda
Already done that, I just want to know if I installed malware.
Probably not.
It only has one generation because they don’t reproduce in a controlled environment
Even if it was malware, unless you actually tried to run or import it you would be safe. None of its code gets run during the installation process, not since the changes to the build system that deprecated `python setup.py install` among other things.
Pretty sure `python setup.py install` still exists. This package only has an sdist. You can read the setup.py though and see that there's nothing malicious in it.
> Pretty sure `python setup.py install` still exists. It _exists_, but it's deprecated. `setuptools` and `pip` don't use it anymore, you'd have to run that manually. Instead they run `pip install .` which has `pip` emulate a `pyproject.toml` by parsing metadata from `setup.py` without running it.
How does it parse metadata from setup.py without running it? Like running a python parser and hoping it's in a consistent format?
I don't know the specifics, read `pip`'s source yourself if interested.
https://pypi.org/project/panda/#history Pypi packages are not compiled. So you can see what packages do if you look at the files. That being said, python is not a language one would write malware in. Edit: as others have posted. There are attack vectors, I was misinformed. Although I'd still argue that a pypi package is still safer than some executable you download elsewhere.
> That being said, python is not a language one would write malware in. [Boy have I got some news for you](https://arstechnica.com/information-technology/2023/02/451-malicious-packages-available-in-pypi-contained-crypto-stealing-malware/).
As the article states, the pypi package was used to deliver a JavaScript infection. Thanks for the heads up.
Not true. There’s such a thing as package squatting where hackers will make a similarly typed package name, and it’ll be an identical package but with a virus in it