What to Do About Copycat Packages on PyPI?

Yeah, that’s sketchy behavior for sure. Just be cautious because these types of copied packages can sometimes be used for malicious purposes. I’m definitely curious about repowise now—might check it out! Let us know if you need feedback or help.

This kind of thing happens more than you’d think, especially after a package gains some visibility. I’ve had similar experiences where duplicate packages showed up shortly after my own releases. If you report it, you can usually get a resolution pretty quickly—within a couple of days, even. For your peace of mind, definitely take action!

The AGPL rules are quite strict about how your code should be used. If they’re not respecting those terms, you have a solid foundation for taking action against them. Make sure they know you’re aware of it and that you’ve got legal backup.

That’s really suspicious! It sounds like they might have bots set up to hijack new packages, which has been known to happen on PyPI. But your case is definitely worse since they’ve adapted your actual code! You should definitely look into reporting this to the PyPI security team—they’re often responsive if you fill out their malware form.

To clarify on the AGPL violation—they took your code, made small adjustments, and released it without attributing you or keeping the original license intact. The AGPL requires that the original author gets credit and that anyone using the code must share their changes under the same license.