📦 PyPI Has an Explosive Growth Problem#
Since 2025, the number of packages published on PyPI per week has increased by 30% — and the main cause is AI. 📈
📊 The Numbers#
- +30% more packages per week since 2025
- Weekly storage exceeds 400 GB new data per week
- Weekly downloads are also skyrocketing
⚠️ The “Vibecoding” Problem#
Many of these new packages are “vibecoded” — AI-generated code without careful review. The author, working on Hexora (a PyPI malicious code detection tool), observes:
- They abuse
eval,exec, andsubprocessunnecessarily - They encode Python code in base64 before executing with
exec(no technical reason) - Sometimes the code looks like malware even if unintentional
🔴 Abusive Publishing#
One package published 392 versions in a single day. This puts enormous pressure on PyPI (maintained by the non-profit PSF).
💡 Explanation in a nutshell#
AI is democratizing code creation, but it’s also flooding PyPI with low-quality packages that use code patterns that look malicious even if they’re not. This creates a growing supply chain security problem for the Python software ecosystem: more packages to review, more false positives in security tools, and more burden on PyPI maintainers — who rely on donations to operate.
More information at the link 👇
