AI Sec Watch: A Security Intelligence Platform for AI Systems

Luu, T.J.

Malicious Python Packages and Code Execution via pip download

highnews

security

Source: Embrace The RedSeptember 9, 2022

Summary

Running pip download (a Python command that downloads packages without installing them) can execute malicious code on your computer due to a design flaw, even though many people assume only pip install poses a security risk. This vulnerability allows attackers to run arbitrary code (commands of their choice) simply by downloading a compromised package.

Classification

Attack Type

Supply Chain

Attack SophisticationModerate

Impact (CIA+S)

integrityconfidentiality

Related Issues

high

Anthropic accuses Chinese AI labs of mining Claude as US debates AI chip exports

Similar attackTechCrunch

critical

CVE-2026-26190: Milvus is an open-source vector database built for generative AI applications. Prior to 2.5.27 and 2.6.10, Milvus expose

Similar attackNVD/CVE Database

Original source: https://embracethered.com/blog/posts/2022/python-package-manager-install-and-download-vulnerability/

First tracked: February 12, 2026 at 02:20 PM

Classified by LLM (prompt v3) · confidence: 75%