Skip to content

❗Bug Report: Unsafe pip install with --break-system-packages and Hallucinated Package Name #126

Description

@kvyb

Description

The AI assistant suggested running a pip install command that includes the --break-system-packages flag on a Homebrew-managed Python environment. The package it recommended (graphifyy) does not appear to exist on PyPI, raising concerns about either a hallucinated package name or a potential typosquatting vector.

Steps to Reproduce

See screenshot from codex, when following readme instructions for setup:
Image

Agent Output

Reason: Do you want to allow installing the 'graphifyy' package so I can build the knowledge graph for this repo?

$ /opt/homebrew/opt/python@3.14/bin/python3.14 -m pip install graphifyy --break-system-packages

Why This Is Problematic

1. --break-system-packages violates PEP 668

Python 3.11+ (and Homebrew's Python distribution) marks the environment as externally managed. The --break-system-packages flag explicitly overrides this safeguard and can:

  • Corrupt the global or Homebrew-managed Python environment.
  • Create conflicts between pip-installed and Homebrew-installed packages.
  • Lead to subtle, hard-to-debug breakage in system tools that depend on Python.

2. graphifyy ❗ appears to be a non-existent or hallucinated package

  • A search on PyPI returns no results for graphifyy.
  • This could be a hallucinated package name, or worse, a vector for typosquatting, a known supply chain attack where malicious packages are published under names that look like plausible typos of popular packages.
  • If a bad actor were to register graphifyy on PyPI, any user who accepted this suggestion would unknowingly install malicious code.

Expected Behavior

  1. Respect PEP 668: The agent should never suggest --break-system-packages. If it detects an externally managed environment, it should stop and take the appropriate corrective action.
  2. Use virtual environments: The agent should automatically create and activate a virtual environment before installing anything:
    python3 -m venv .venv
    source .venv/bin/activate
    pip install <package>
  3. Verify packages before suggesting installation: The agent should confirm that a package actually exists on PyPI (and is spelled correctly) before prompting the user to install it. This is a basic safeguard against hallucinated names and supply chain attacks.

Environment

  • Python: 3.14 (Homebrew, /opt/homebrew/opt/python@3.14/)
  • OS: macOS (Apple Silicon)
  • Environment type: Externally managed (PEP 668)

Severity

High: This combines two serious issues: potential corruption of the user's Python environment and a possible supply chain attack vector via a hallucinated package name. Either one alone would be worth flagging; together they represent a meaningful safety gap.

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Type

    No type

    Fields

    No fields configured for issues without a type.

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions