[nariinano]

I believe urllib3 is built-in. So if you have installed it from PyPI you've gotten a malicious version.

[cpburns2009]

urllib and urllib2 are built-in for Python 2, and were merged and reorganized as just urllib in Python 3. urllib3 is a third-party module.

[haikuginger]

This is correct. In general, though, most packages don't rely on urllib3 directly, but on `requests`, which uses urllib3 but provides a friendlier API and built-in SSL cert verification.

[wyldfire]

It's not generally true that built-in packages which also appear on PyPI are malicious.

Many batteries-included packages are also maintained outside of CPython. This is because: (1) in many cases they existed outside prior to being included in CPython, (2) they can experiment with new features before they're included in the CPython version of their package.

[rantanplan]

https://pypi.python.org/pypi/urllib3