[mrdw]

btw, you can claim "relax" name instead of "relaxai" on pypi

pypi.org/project/relax is abandoned library, which owner registered via email with expired custom domain, so you can claim this domain and reset owner's account by email.

[ptx]

It's probably a better idea to follow the process documented in PEP 541 [1] and contact the PyPI admins to request a transfer of the name. Taking over the domain to impersonate the original owner would look indistinguishable from a supply-chain attack.

[1] https://peps.python.org/pep-0541/#how-to-request-a-name-tran...

[mrdw]

Yeah, I noticed this library few years ago when checking pypi.org for supply chain attack vulnerability and scanned all libraries. There are a lot of such libraries which you can take over.

[benjamintnorris]

Thank you! We'll check this out.

[lxgr]

And create yet another completely non-descriptive package name?